Forgot your password?
typodupeerror
Security

Remote Exim Exploit In the Wild 90

Posted by kdawson
from the be-careful-out-there dept.
An anonymous reader sends word of a remote exploit in the wild against the Exim mail agent. The news comes on the exim mailing list, where a user posted that he had his exim install hacked via remote exploit giving the attacker the privilege of the mailnull user, which can lead to other possible attacks. A note up at the Internet Storm Center reminds exim users how to set up to run in unprivileged mode, and a commenter includes recompile instructions for Debian exim for added safety. The security press hasn't picked up on this story so far.
This discussion has been archived. No new comments can be posted.

Remote Exim Exploit In the Wild

Comments Filter:
  • Welcome to a week ago. Oh, and security guys -are- picking up on it. Stop following companies/press and start following persons.

  • by gQuigs (913879) on Friday December 10, 2010 @12:20PM (#34514750) Homepage

    http://www.exim.org/lurker/message/20101210.071922.233697ac.en.html [exim.org]

    "Paul Fisher and I have successfully run the exploit against a copy of
    Exim running in a debugger on debian lenny, and we believe it utilizes
    this bug:

    http://bugs.exim.org/show_bug.cgi?id=787 [exim.org]

    It was fixed in 4.70, but not in the version currently in debian
    stable.

    James E. Blair
    UC Berkeley"

  • by Anonymous Coward

    Because sendmail has such a long record of resistance to security bugs :)

  • by domatic (1128127) on Friday December 10, 2010 @12:43PM (#34514954)

    Debian released patches this morning for it.

    exim4 (4.69-9+lenny1) stable-security; urgency=high

        * Non-maintainer upload by the Security Team.
        * Fix SMTP file descriptors being leaked to processes invoked with ${run...}
        * Fix memory corruption issue in string_format(). CVE-2010-4344
        * Fix potential memory pool corruption issue in internal_lsearch_find().

      -- Stefan Fritsch Fri, 10 Dec 2010 13:25:07 +0100

  • I just went digging through my exim install. I have exim-4.72-r1 on Gentoo and it has the fix in it.
    it's actually an old bug, the patch is for 4.69 and is from ~2008

    • by arth1 (260657)

      Yep, gentoo has 4.72, and Fedora 14 has 4.71 -- neither has this incredibly old vulnerability.

      RHEL 5.5 (and CentOS, ScientificLinux and other clones), on the other hand, has an old vulnerable version.

  • [... and there goes my karma :( ]
    Actually, exim was never the thing to do, and yet Debian had it in default.
    Just read the archives, and this has been under discussion ever since. OpenBSD has sendmail, likewise, and this has been under discussion ever since.
    I am totally a FOSS person [and there goes even more karma .( ], hate blobs. I can do with less functionality if only the software is free.
    And some perceive postfix as 'not free enough' and so forth. Whatever, relevant is, that exim has always been a do

    • by Raenex (947668)

      Stop whining about your karma, and learn to format paragraphs.

    • Impossible to configure? No, not really, even in v3. It is actually pretty nice to use if you have a complicated configuration.

    • Who cares about the default? This isn't a desktop clock, it's a mail server - you're supposed to search and read about at least the most well known alternatives.

    • by headLITE (171240)

      Heh. I never thought exim was hard to configure. Some things are a lot easier in exim 4 than in postfix. On the other hand, I used to edit sendmail.cf without m4 back in the day and didn't think of that as particularly hard either.

    • by fusiongyro (55524)

      m4 is no more a compiler than sed is. It's just a text macro expander, and it's not particularly complex. It takes about ten minutes to learn how it works, and if you're trying to configure sendmail or use autoconf, you owe it to yourself to spend the ten minutes.

      The problem with sendmail is sendmail, not m4. It certainly needs too much configuration and its configuration is certainly too finicky, but that's a separate problem.

    • by julesh (229690)

      Whatever, relevant is, that exim has always been a dog, almost impossible to configure, and finally with 4.0 changed the style of its configuration.

      I'll admit to not having used exim pre v4, but when I switched to it some years back I found it quite easy to configure, and yet with a powerful enough configuration system that I could do what I needed to do (set up domain/user tables to come from an existing database) without any real hassle.

      Dunno what people complain about, really. Perhaps they're too scare

      • by amorsen (7485)

        The only problem with exim configuration is that they're trying very hard to pretend that the acl part isn't programming. Traditional if then else would be a lot easier to read by everyone who can handle shell scripting, and if you can't handle shell scripting you aren't likely to handle an obscure language with side-effects based on boolean short-circuit evaluation.

        You can get very far without touching the acl's, but those are what makes exim more capable than most other MTA's.

  • by Curunir_wolf (588405) on Friday December 10, 2010 @01:45PM (#34515602) Homepage Journal
    I don't really get all the hate for Exim. I've been using it exclusively on mail servers for about 10 years, and I've never had a problem. I do remember going through a lot of reading and learning (and sometimes experimenting) the first few times I set it up (and of course when implementing a major feature change). But, for me, the task was less daunting than the alternatives. I don't really remember whether postfix was one of those alternatives I explored at the time, but now that I'm familiar with Exim, I see no reason to change.
    • by smclean (521851)
      I agree.. I've used exim a lot on quite a few servers, with some advanced features, and it's been great. I've also done a lot of sendmail, qmail (back in the day) & postfix. Call me crazy but I don't really have a strong preference between sendmail, exim and postfix (qmail is just too dated now).
    • by lanner (107308)

      I was not aware that there was EXIM haters. It's a good mailer. I doubt anyone who was ever forced to configure sendmail will say otherwise.

      • by h4rr4r (612664)

        Indeed. Due to support from another mail product we run we had to go from postfix to sendmail. A sad day in my life. Sendmail is not bad, just when you need a script to write config files your config files are too complicated. Looking at you GRUB2, when I say that.

        • by caseih (160668)

          Sendmail has one redeeming feature: milters. Postfix is only now starting to support sendmail-compatible milter filters. The ability to filter and discard spam at the connection level is, my opinion, better and cleaner than hackish solutions like amavisd.

          • by dwmw2 (82)

            Whereas Exim doesn't *need* milters because it's sufficiently capable all by itself.

            I once had a Postfix advocate look over my Exim config to see if he make Postfix do what Exim can do. He gave up.

          • Sendmail has one redeeming feature: milters.

            Another very cool feature is throttling by cpu load (envious postfix user here).

      • The parent conjured up "Exim haters" out of thin air, but it's really a fiction. There is nothing that warrants such a label.

        Sure, we all have our own preferences for MTAs, and we even complain occasionally about particular features or unhelpful config styles, but that's the same for all applications. Sendmail's config is of course a joke, but that's an old MTA and shouldn't be compared with any of the modern ones like Exim, qmail, Postfix, etc.

        All MTAs have their proponents, but "MTA haters" really don't

    • I've been running Exim on two servers for the past 5 years now. Never had a problem either.

  • by dskoll (99328) on Friday December 10, 2010 @04:52PM (#34517964)

    Bet you never thought you'd read that in response to a security announcement. :)

"For the man who has everything... Penicillin." -- F. Borquin

Working...