Debian DSA-2154-1 : exim4 - privilege escalation - Nessus

Medium   Plugin ID: 51819

This page contains detailed information about the Debian DSA-2154-1 : exim4 - privilege escalation Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 51819
Name: Debian DSA-2154-1 : exim4 - privilege escalation
Filename: debian_DSA-2154.nasl
Vulnerability Published: N/A
This Plugin Published: 2011-01-31
Last Modification Time: 2022-03-28
Plugin Version: 1.13
Plugin Type: local
Plugin Family: Debian Local Security Checks
Dependencies: ssh_get_info.nasl
Required KB Items [?]: Host/Debian/dpkg-l, Host/Debian/release, Host/local_checks_enabled

Vulnerability Information

Severity: Medium
Vulnerability Published: N/A
Patch Published: 2011-01-30
CVE [?]: CVE-2010-4345, CVE-2011-0017
CPE [?]: cpe:/o:debian:debian_linux:5.0, p-cpe:/a:debian:debian_linux:exim4

Synopsis

The remote Debian host is missing a security-related update.

Description

A design flaw (CVE-2010-4345 ) in exim4 allowed the local Debian-exim user to obtain root privileges by specifying an alternate configuration file using the -C option or by using the macro override facility (-D option). Unfortunately, fixing this vulnerability is not possible without some changes in exim4's behaviour. If you use the -C or -D options or use the system filter facility, you should evaluate the changes carefully and adjust your configuration accordingly. The Debian default configuration is not affected by the changes.

The detailed list of changes is described in the NEWS.Debian file in the packages. The relevant sections are also reproduced below.

In addition to that, missing error handling for the setuid/setgid system calls allowed the Debian-exim user to cause root to append log data to arbitrary files (CVE-2011-0017 ).

Solution

For the stable distribution (lenny), these problems have been fixed in version 4.69-9+lenny3.

Excerpt from the NEWS.Debian file from the packages exim4-daemon-light and exim4-daemon-heavy :

Exim versions up to and including 4.72 are vulnerable to CVE-2010-4345. This is a privilege escalation issue that allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option. The macro override facility (-D) might also be misused for this purpose. In reaction to this security vulnerability upstream has made a number of user visible changes. This package includes these changes. If exim is invoked with the -C or -D option the daemon will not regain root privileges though re-execution. This is usually necessary for local delivery, though. Therefore it is generally not possible anymore to run an exim daemon with -D or -C options. However this version of exim has been built with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs. TRUSTED_CONFIG_LIST defines a list of configuration files which are trusted; if a config file is owned by root and matches a pathname in the list, then it may be invoked by the Exim build-time user without Exim relinquishing root privileges. As a hotfix to not break existing installations of mailscanner we have also set WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to start exim with -DOUTGOING while being able to do local deliveries. If you previously were using -D switches you will need to change your setup to use a separate configuration file. The '.include' mechanism makes this easy. The system filter is run as exim_user instead of root by default. If your setup requies root privileges when running the system filter you will need to set the system_filter_user exim main configuration option.

Public Exploits

Target Network Port(s): N/A
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the Debian DSA-2154-1 : exim4 - privilege escalation vulnerability:

  1. Metasploit: exploit/unix/smtp/exim4_string_format
    [Exim4 string_format Function Heap Buffer Overflow]
  2. Exploit-DB: exploits/linux/remote/16925.rb
    [EDB-16925: Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit)]

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:L/AC:M/Au:N/C:C/I:C/A:C
CVSS Base Score:6.9 (Medium)
Impact Subscore:10.0
Exploitability Subscore:3.4
CVSS Temporal Score:NA (None)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:6.9 (Medium)

Go back to menu.

Plugin Source

This is the debian_DSA-2154.nasl nessus plugin source code. This script is Copyright (C) 2011-2022 and is owned by Tenable, Inc. or an Affiliate thereof. 

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-2154. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(51819);
  script_version("1.13");
  script_set_attribute(attribute:"plugin_modification_date", value:"2022/03/28");

  script_cve_id("CVE-2010-4345", "CVE-2011-0017");
  script_xref(name:"DSA", value:"2154");
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/04/15");

  script_name(english:"Debian DSA-2154-1 : exim4 - privilege escalation");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing a security-related update.");
  script_set_attribute(attribute:"description", value:
"A design flaw (CVE-2010-4345 ) in exim4 allowed the local Debian-exim
user to obtain root privileges by specifying an alternate
configuration file using the -C option or by using the macro override
facility (-D option). Unfortunately, fixing this vulnerability is not
possible without some changes in exim4's behaviour. If you use the -C
or -D options or use the system filter facility, you should evaluate
the changes carefully and adjust your configuration accordingly. The
Debian default configuration is not affected by the changes.

The detailed list of changes is described in the NEWS.Debian file in
the packages. The relevant sections are also reproduced below.

In addition to that, missing error handling for the setuid/setgid
system calls allowed the Debian-exim user to cause root to append log
data to arbitrary files (CVE-2011-0017 ).");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2010-4345");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2011-0017");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2011/dsa-2154");
  script_set_attribute(attribute:"solution", value:
"For the stable distribution (lenny), these problems have been fixed in
version 4.69-9+lenny3.

Excerpt from the NEWS.Debian file from the packages exim4-daemon-light
and exim4-daemon-heavy :

Exim versions up to and including 4.72 are vulnerable to
CVE-2010-4345. This is a privilege escalation issue that allows the
exim user to gain root privileges by specifying an alternate
configuration file using the -C option. The macro override facility
(-D) might also be misused for this purpose. In reaction to this
security vulnerability upstream has made a number of user visible
changes. This package includes these changes. If exim is invoked with
the -C or -D option the daemon will not regain root privileges though
re-execution. This is usually necessary for local delivery, though.
Therefore it is generally not possible anymore to run an exim daemon
with -D or -C options. However this version of exim has been built
with TRUSTED_CONFIG_LIST=/etc/exim4/trusted_configs.
TRUSTED_CONFIG_LIST defines a list of configuration files which are
trusted; if a config file is owned by root and matches a pathname in
the list, then it may be invoked by the Exim build-time user without
Exim relinquishing root privileges. As a hotfix to not break existing
installations of mailscanner we have also set
WHITELIST_D_MACROS=OUTGOING. i.e. it is still possible to start exim
with -DOUTGOING while being able to do local deliveries. If you
previously were using -D switches you will need to change your setup
to use a separate configuration file. The '.include' mechanism makes
this easy. The system filter is run as exim_user instead of root by
default. If your setup requies root privileges when running the system
filter you will need to set the system_filter_user exim main
configuration option.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2011/01/30");
  script_set_attribute(attribute:"plugin_publication_date", value:"2011/01/31");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim4");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:5.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2011-2022 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"5.0", prefix:"exim4", reference:"4.69-9+lenny3")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/debian_DSA-2154.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\debian_DSA-2154.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/debian_DSA-2154.nasl

Go back to menu.

How to Run

Here is how to run the Debian DSA-2154-1 : exim4 - privilege escalation as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Debian Local Security Checks plugin family.
  6. On the right side table select Debian DSA-2154-1 : exim4 - privilege escalation plugin ID 51819.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl debian_DSA-2154.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a debian_DSA-2154.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - debian_DSA-2154.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state debian_DSA-2154.nasl -t <IP/HOST>

Go back to menu.

References

DSA | Debian Security Advisory: See also: Similar and related Nessus plugins:
  • 51785 - CentOS 4 / 5 : exim (CESA-2011:0153)
  • 51446 - FreeBSD : exim -- local privilege escalation (e4fcf020-0447-11e0-becc-0022156e8794)
  • 72159 - GLSA-201401-32 : Exim: Multiple vulnerabilities
  • 68180 - Oracle Linux 4 / 5 : exim (ELSA-2011-0153)
  • 51562 - RHEL 4 / 5 : exim (RHSA-2011:0153)
  • 60936 - Scientific Linux Security Update : exim on SL4.x, SL5.x i386/x86_64
  • 53657 - openSUSE Security Update : exim (openSUSE-SU-2010:1052-1)
  • 53715 - openSUSE Security Update : exim (openSUSE-SU-2010:1052-1)
  • 75481 - openSUSE Security Update : exim (openSUSE-SU-2010:1052-1)
  • 51954 - Ubuntu 6.06 LTS / 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : exim4 vulnerabilities (USN-1060-1)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file debian_DSA-2154.nasl version 1.13. For more plugins, visit the Nessus Plugin Library.

Go back to menu.