CVE-2019-10149: the Exim remote command execution vulnerability and early warning analysis-vulnerability warning-the black bar safety net

Recently, security researchers found the Exim mail server there is a remote command execution vulnerability, the vulnerability number CVE-2019-10149 it. The vulnerability in the default configuration may be a local attacker to direct the use, by low-privileged user to execute root command, a remote attacker would need to modify the default configuration. In order to in the default configuration the remote exploitation of the vulnerability, the remote attacker needs and the vulnerability of the server to establish a 7 Day connection every few minutes to send 1 bytes.
360CERT it is determined that the vulnerability affects is wide, can be caused by the local extraction rights and stored in the remote command execution risk, and the harm is more serious, the recommendations of the majority of users timely updated.
Local use
Vulnerability code is in deliver_message()in:
! [](/Article/UploadPic/2019-6/2019613183214133. png)
Code new->address to save the email address of the recipient, if the recipient address is written into the${run{ }}@localhost, you can through expand_string()with root privileges to execute arbitrary commands. expand_string()call to relationship: expand_string->child_open->execv
!
!
Attack effect is as follows:
! [](/Article/UploadPic/2019-6/2019613183214635. png)
Remote use
（1）the default configuration
When the objectives of the Exim server using the default configuration, the attacker needs and the vulnerability of the server to establish the connection 7 days, every few minutes to send 1 byte, and the use of more demanding conditions, the difficulty big. But due to the Exim code is very complex, there may be other more rapid use of the method.
（2）non-default configuration
When the target server using the following configuration, the attacker can be remote command execution
a Administrator manually removed the verify = recipient ACL configuration;
B. The administrator to configure Exim can recognize the recipients user name in the tag, i.e. the@before Section, such as by local_part_suffix=+: -, the attacker can be RCPT TO set to a local user name+${run{…}}@localhost for use;
C. The administrator has configured Exim as secondary MX（Mail eXchange to forward mail to a remote domain, in this case the verify = recipient ACL only checks the remote address of the domain name part, i.e. the@after Section, do not check the label. The attacker can be RCPT TO set to${run{…}}@relay_to_domains be utilized.

0x01 impact version
Impact of Exim 4.87~4.91 version
In 4. 87 version before if manually enabled EXPERIMENTAL_EVENT option, the server also there will be loopholes

0x02 repair recommendations
Update to the latest version 4. 92