Raft of Exim Security Holes Allow Linux Mail Server Takeovers

A veritable cornucopia of security vulnerabilities in the Exim mail server have been uncovered, some of which could be chained together for unauthenticated remote code execution (RCE), gaining root privileges and worm-style lateral movement, according to researchers.

The Qualys Research Team has discovered a whopping 21 bugs in the popular mail transfer agent (MTA), which was built to send and receive email on major Unix-like operating systems. It comes pre-installed on Linux distributions such as Debian, for instance.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” a LIVE roundtable event on Wednesday, May 12 at 2:00 PM EDT for this FREE webinar sponsored by Zoho ManageEngine.

“MTAs are interesting targets for attackers because they are usually accessible over the internet,” according to the Qualys analysis, issued on Tuesday. “Once exploited, they could modify sensitive email settings on the mail servers, allow adversaries to create new accounts on the target mail servers,” Qualys Senior Manager of Vulnerabilities Bharat Jogi said in a post.

Researchers said that according to a Shodan search, nearly 4 million Exim servers are directly exposed to the internet.

Out of the 21 vulns, which Qualys collectively dubbed “21 Nails,” 10 of them can be exploited remotely. And, most of them can be exploited in either default configuration or “in a very common configuration,” according to Qualys. Also, most of them affect all versions of Exim going back to its inception in 2004.

“Exim Mail Servers are used so widely and handle such a large volume of the internet’s traffic that they are often a key target for hackers,” Jogi said, noting that last year, a vulnerability in Exim was a target of the Russian advanced persistent threat (APT) known as Sandworm.

He added, “The 21 vulnerabilities we found are critical as attackers can remotely exploit them to gain complete root privileges on an Exim system – allowing compromises such as a remote attacker gaining full root privileges on the target server and executing commands to install programs, modify data, create new accounts and change sensitive settings on the mail servers. It’s imperative that users apply patches immediately.”

Exim Patching Status

Qualys researchers wrote and tested the patches, Jogi told Threatpost; and the “official” patches from Exim are modified versions of those (those interested can review both for reference and comparison). Exim provided packagers and maintainers (including distros@openwall) with access to its security Git repository for updates.

As far as the patching status for various Linux distributions goes, Jogi said that the most widely used (CentOS, RHEL and SuSE), have already rolled out fixes. Debian, meanwhile, isn’t vulnerable in the “oldstable” (codename Stretch), “stable” (Buster) or “Still-in-development” (Sid) versions. However, the “unstable” (Bullseye) version is vulnerable – and has not been patched as of the time of writing.

As for other distros, “It’s hard to tell since there are hundreds of distributions, and it’s their responsibility to be up-to-date,” he told Threatpost.

As for in-the-wild exploitation, “we haven’t seen evidence of exploitation of these vulnerabilities first-hand, but given that most of the vulnerabilities were introduced as far back 2004, there is good chance they could be exploited by nation-state actors,” he added.

21 Nails Exim Vulnerability List

The remotely exploitable bugs are:

• CVE-2020-28017: Integer overflow in receive_add_recipient()
• CVE-2020-28020: Integer overflow in receive_msg()
• CVE-2020-28023: Out-of-bounds read in smtp_setup_msg()
• CVE-2020-28021: New-line injection into spool header file
• CVE-2020-28022: Heap out-of-bounds read and write in extract_option()
• CVE-2020-28026: Line truncation and injection in spool_read_header()
• CVE-2020-28019: Failure to reset function pointer after BDAT error
• CVE-2020-28024: Heap buffer underflow in smtp_ungetc()
• CVE-2020-28018: Use-after-free in tls-openssl.c
• CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()

These are the local bugs:

• CVE-2020-28007: Link attack in Exim’s log directory
• CVE-2020-28008: Assorted attacks in Exim’s spool directory
• CVE-2020-28014: Arbitrary file creation and clobbering
• CVE-2021-27216: Arbitrary file deletion
• CVE-2020-28011: Heap buffer overflow in queue_run()
• CVE-2020-28010: Heap out-of-bounds write in main()
• CVE-2020-28013: Heap buffer overflow in parse_fix_phrase()
• CVE-2020-28016: Heap out-of-bounds write in parse_fix_phrase()
• CVE-2020-28015: New-line injection into spool header file
• CVE-2020-28012: Missing close-on-exec flag for privileged pipe
• CVE-2020-28009: Integer overflow in get_stdinput()

According to the advisory, an unauthenticated, remote attacker could chain some of these together to create a potentially wormable exploit that would result in privilege escalation to root, resulting in the ability to execute commands to install programs, modify data and create new accounts.

Technical Dive into 21 Nails: RCE Issues

Qualys is not releasing any full proof-of-concept exploits; however, it did provide various code blocks and plenty of technical details within its analysis.

Researchers said that the CVE-2020-28018 use-after-free bug is the most powerful vulnerability out of the 21. It’s exploitable if the Exim server is built with OpenSSL; and if STARTTLS is enabled and if PIPELINING is enabled (the default); and if X_PIPE_CONNECT is disabled (the default before Exim 4.94).

It affects the tls_write() in tls-openssl.c function, according to Qualys, and can be exploited in various ways by remote attackers using a struct gstring (server_corked) and its string buffer (server_corked->s):

1. Overwrite the string buffer (which is sent by tls_write()) and create an information leak by leaking pointers to the heap;
2. Overwrite the struct gstring (with an arbitrary string pointer and size) and transform the use-after-free into a read-what-where primitive: It’s possible to then read the heap to locate Exim’s configuration;
3. Once the write-what-where primitive is achieved, attackers can overwrite Exim’s configuration with an arbitrary “${run{command}}” that is executed by expand_string() as an unprivileged, basic “exim” user.

Another of the vulnerabilities of note is CVE-2020-28020, an integer overflow that allows an unauthenticated remote attacker to execute arbitrary commands as the “exim” user and snoop data.

It exists in the in receive_msg() function, researchers said, and while powerful, it’s also the most difficult to exploit out of the 21 Nails group, and requires three separate mails to be sent to a target within the same SMTP session.

“By default, Exim limits the size of a mail header to 1MB,” according to the advisory. “Unfortunately, an attacker can bypass this limit by sending only continuation lines (i.e., ‘\n’ followed by ‘ ‘ or ‘\t’), thereby overflowing the integer header_size.”

However, “when the integer header_size overflows, it becomes negative…but we cannot exploit the resulting back-jump…because the free size of the current memory block also becomes negative…which prevents us from writing to this back-jumped memory block,” researchers explained. “To overflow the integer header_size, we must send 1GB to Exim: Consequently, our exploit must succeed after only a few tries (in particular, we cannot brute-force ASLR).”

Either of these vulnerabilities can be used by unauthenticated attackers to gain initial access as an “exim” user on the mail server. Once that’s achieved, a bouquet of local privilege escalation (LPE) flaws are on offer to gain full root privileges.

LPE for Achieving Root Status

The privilege-escalation options include CVE-2020-28007, which allows a link attack in Exim’s log directory.

The Exim binary is set-user-ID-root, and Exim operates as root in its log directory, which belongs to the “exim” user. So, an attacker with the privileges of the “exim” user can create a symlink (or a hardlink) in the log directory, append arbitrary contents to an arbitrary file and escalate permissions, according to Qualys.

Adversaries could also use CVE-2020-28008 for assorted attacks in Exim’s spool directory, researchers noted. These various vectors include: Directly writing to a spool header file (in the “input” subdirectory); creating a long-named file in the “db” subdirectory to overflow a stack-based buffer, or creating a symlink (or a hardlink) in the “db” subdirectory to take ownership of an arbitrary file.

Other options for LPE to root are CVE-2020-28011 and CVE-2020-28013, both heap buffer-overflow issues; CVE-2020-28010 and CVE-2020-28016, both heap out-of-bounds writes; or CVE-2020-28009, an integer overflow in get_stdinput().

Memory-Corruption Bugs Abound

Most of the vulnerabilities in the advisory are easy-to-exploit memory corruptions that can get around various protections such as ASLR, NX and malloc hardening, according to Qualys.

“Exim’s memory allocator…unintentionally provides attackers with powerful exploit primitives,” researchers said. “In particular, if an attacker can pass a negative size to the allocator (through an integer overflow or direct control), then store_get() believes that the current block of memory is large enough (because size is negative), and…as a result, store_get()’s caller can overflow the current block of memory.”

As a result, the next memory allocation can overwrite the beginning of Exim’s heap. This is “a relative write-what-where, which naturally bypasses ASLR (a ‘backward-jump’ or ‘back-jump’),” according to the analysis.

Because of this, some of the bugs in the writeup can be McGyvered to allow arbitrary code execution.

“The beginning of the heap contains Exim’s configuration, which includes various strings that are passed to expand_string() at run time,” researchers explained. “Consequently, an attacker who can back-jump can overwrite these strings with ‘${run{…}}’ and execute arbitrary commands (thus bypassing NX).”

Also of Interest: Authenticated Code Execution as Root

One other interesting bug is CVE-2020-28021, a new-line injection into the spool header file that also allows RCE when chained with other issues.

“An authenticated SMTP client can add an AUTH= parameter to its MAIL FROM command. This AUTH= parameter is decoded by auth_xtextdecode() and the resulting authenticated_sender is written to the spool header file without encoding or escaping,” according to the advisory. “Unfortunately, authenticated_sender can contain arbitrary characters, so an authenticated remote attacker can inject new lines into the spool header file and execute arbitrary commands, as root.”

This vulnerability is particularly problematic for ISPs and mail providers that deploy Exim and offer mail accounts but not shell accounts, researchers added; and, it can be chained with an authentication bypass such as CVE-2020-12783, discovered by Orange Tsai in May 2020, for a full RCE-plus-LPE attack. Further, it can be used for information disclosure.

Join Threatpost for “Fortifying Your Business Against Ransomware, DDoS & Cryptojacking Attacks” – a LIVE roundtable event on** Wed, May 12 at 2:00 PM EDT**. Sponsored by Zoho ManageEngine, Threatpost host Becky Bracken moderates an expert panel discussing best defense strategies for these 2021 threats. Questions and LIVE audience participation encouraged. Join the lively discussion and Register HERE for free.