CVE-2010-4345
published 2010-12-14CVE-2010-4345: Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with…
PriorityP181high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
17.79%
96.8th percentile
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | exim4 | < exim4 4.72-3 (bookworm) | exim4 4.72-3 (bookworm) |
| exim | exim | <= 4.72 | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for Exim process invoked with the -C flag (alternate config file) running as root or the exim/Debian-exim user — this is the core exploitation primitive for CVE-2010-4345. ↗
- →Alert on Exim spawning a Perl interpreter child process, especially when Perl is used to write and execute a payload script in a temp directory — indicative of the two-stage privilege escalation chain. ↗
- →Detect use of the spool_directory directive in non-standard/alternate Exim config files, which is the demonstrated method for embedding arbitrary commands. ↗
- →Audit the /etc/exim4/trusted_configs file and flag any config files not owned by root that are being passed via -C, as post-patch bypass attempts may target this mechanism. ↗
- →CVE-2010-4345 was chained with CVE-2010-4344 (heap overflow in string_vformat) in real-world attacks; detection of the heap overflow exploit (oversized SMTP message triggering rejection logging) should also trigger investigation for the local privilege escalation follow-on. ↗
- ·After patching, Exim no longer runs alternate config files specified with -C as root by default. Legitimate use of -C for root-privileged operations now requires the target config file to be listed in /etc/exim4/trusted_configs AND owned by root. ↗
- ·The -D option (macro definitions) also no longer runs as root post-patch; macro definitions requiring root privileges must be moved into trusted configuration files. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.8HIGH
vulncheck7.8HIGH
cisa7.8HIGH
vendor_debian7.8HIGH
vendor_redhat7.8HIGH
vendor_ubuntu4.4MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Exim Privilege Escalation Vulnerability
cisa·2022-03-25·CVSS 7.8
CVE-2010-4345 [HIGH] CWE-264 Exim Privilege Escalation Vulnerability
Vulnerability: Exim Privilege Escalation Vulnerability
Affected: Exim Exim
Exim allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-4345
Remediation Due Date: 2022-04-15
Ubuntu
Exim vulnerabilities
vendor_ubuntu·2011-02-10·CVSS 4.4
CVE-2010-2023 [MEDIUM] Exim vulnerabilities
Title: Exim vulnerabilities
It was discovered that Exim contained a design flaw in the way it processed
alternate configuration files. An attacker that obtained privileges of the
"Debian-exim" user could use an alternate configuration file to obtain
root privileges. (CVE-2010-4345)
It was discovered that Exim incorrectly handled certain return values when
handling logging. An attacker that obtained privileges of the "Debian-exim"
user could use this flaw to obtain root privileges. (CVE-2011-0017)
Dan Rosenberg discovered that Exim incorrectly handled writable sticky-bit
mail directories. If Exim were configured in this manner, a local user
could use this flaw to cause a denial of service or possibly gain
privileges. This issue only applied to Ubuntu 6.06 LTS, 8.04 LTS, 9.10,
and 10.04 L
Red Hat
exim: privilege escalation
vendor_redhat·2010-12-07·CVSS 7.8
CVE-2010-4345 [HIGH] CWE-78 exim: privilege escalation
exim: privilege escalation
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.
Debian
CVE-2010-4345: exim4 - Exim 4.72 and earlier allows local users to gain privileges by leveraging the ab...
vendor_debian·2010·CVSS 7.8
CVE-2010-4345 [HIGH] CVE-2010-4345: exim4 - Exim 4.72 and earlier allows local users to gain privileges by leveraging the ab...
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.
Scope: local
bookworm: resolved (fixed in 4.72-3)
bullseye: resolved (fixed in 4.72-3)
forky: resolved (fixed in 4.72-3)
sid: resolved (fixed in 4.72-3)
trixie: resolved (fixed in 4.72-3)
GHSA
GHSA-qq6c-p3fx-6qcx: Exim 4
ghsa_unreviewed·2022-05-13
CVE-2010-4345 [MEDIUM] CWE-77 GHSA-qq6c-p3fx-6qcx: Exim 4
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.
OSV
CVE-2010-4345: Exim 4
osv·2010-12-14·CVSS 7.8
CVE-2010-4345 [HIGH] CVE-2010-4345: Exim 4
Exim 4.72 and earlier allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands, as demonstrated by the spool_directory directive.
VulnCheck
Exim Privilege Escalation Vulnerability
vulncheck·2010·CVSS 7.8
CVE-2010-4345 [HIGH] CWE-264 Exim Privilege Escalation Vulnerability
Exim Privilege Escalation Vulnerability
Exim allows local users to gain privileges by leveraging the ability of the exim user account to specify an alternate configuration file with a directive that contains arbitrary commands.
Affected: Exim Exim
Required Action: Apply updates per vendor instructions.
Exploitation References: https://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-15
No detection rules found.
Exploit-DB
Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit)
exploitdb·2010-12-16
CVE-2010-4345 Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit)
Exim4 'Exim4 %q{
This module exploits a heap buffer overflow within versions of Exim prior to
version 4.69. By sending a specially crafted message, an attacker can corrupt the
heap and execute arbitrary code with the privileges of the Exim daemon.
The root cause is that no check is made to ensure that the buffer is not full
prior to handling '%s' format specifiers within the 'string_vformat' function.
In order to trigger this issue, we get our message rejected by sending a message
that is too large. This will call into log_write to log rejection headers (which
is a default configuration setting). After filling the buffer, a long header
string is sent. In a successful attempt, it overwrites the ACL for the 'MAIL
FROM' command. By sending a second message, the string we sent will be evaluat
Metasploit
Exim4 string_format Function Heap Buffer Overflow
metasploit·CVSS 7.8
[HIGH] Exim4 string_format Function Heap Buffer Overflow
Exim4 string_format Function Heap Buffer Overflow
This module exploits a heap buffer overflow within versions of Exim prior to version 4.69. By sending a specially crafted message, an attacker can corrupt the heap and execute arbitrary code with the privileges of the Exim daemon. The root cause is that no check is made to ensure that the buffer is not full prior to handling '%s' format specifiers within the 'string_vformat' function. In order to trigger this issue, we get our message rejected by sending a message that is too large. This will call into log_write to log rejection headers (which is a default configuration setting). After filling the buffer, a long header string is sent. In a successful attempt, it overwrites the ACL for the 'MAIL FROM' command. By sending a second message, t
Bugzilla
CVE-2010-4345 exim privilege escalation [fedora-all]
bugzilla·2011-01-07·CVSS 7.8
CVE-2010-4345 [HIGH] CVE-2010-4345 exim privilege escalation [fedora-all]
CVE-2010-4345 exim privilege escalation [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=662012
Please note: this issue affects multiple supported versions of
Bugzilla
CVE-2010-4345 exim: privilege escalation
bugzilla·2010-12-10·CVSS 7.8
CVE-2010-4345 [HIGH] CVE-2010-4345 exim: privilege escalation
CVE-2010-4345 exim: privilege escalation
See bug #661756
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
"
Secondly a privilege escalation where the trusted 'exim' user is able to tell
Exim to use arbitrary config files, in which further ${run ...} commands will
be invoked as root.
The latter should be addressed by the patch at
http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html
"
Discussion:
http://bugs.exim.org/show_bug.cgi?id=1044
---
http://lists.exim.org/lurker/message/20101212.031058.0a4ca7c2.en.html
I've just pushed a set of patches to
http://git.exim.org/users/dwmw2/exim.git
git://git.exim.org/users/dwmw2/exim.git
They do the following:
- Add Valgrind hooks to the store pools to aid debugging.
- Don't use config files as root if they
Bugzilla
CVE-2010-4344 exim: remote code execution flaw
bugzilla·2010-12-09·CVSS 9.8
CVE-2010-4344 [CRITICAL] CVE-2010-4344 exim: remote code execution flaw
CVE-2010-4344 exim: remote code execution flaw
There is a possible remote root flaw in Exim:
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
We do not currently know more than is contained in this mail. We will
update this bug with further information as it is discovered.
Discussion:
There are two bugs here. First a remote exploit where the attacker somehow tricks Exim into evaluating data it shouldn't, and honouring a ${run {/bin/sh...}} directive which ends up giving the attacker a shell.
Secondly a privilege escalation where the trusted 'exim' user is able to tell Exim to use arbitrary config files, in which further ${run ...} commands will be invoked as root.
The latter should be addressed by the patch at http://lists.exim.org/lurker/message/20101209.172233.ab
http://bugs.exim.org/show_bug.cgi?id=1044http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.htmlhttp://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.htmlhttp://openwall.com/lists/oss-security/2010/12/10/1http://secunia.com/advisories/42576http://secunia.com/advisories/42930http://secunia.com/advisories/43128http://secunia.com/advisories/43243http://www.cpanel.net/2010/12/critical-exim-security-update.htmlhttp://www.debian.org/security/2010/dsa-2131http://www.debian.org/security/2011/dsa-2154http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.htmlhttp://www.kb.cert.org/vuls/id/758489http://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_formathttp://www.openwall.com/lists/oss-security/2021/05/04/7http://www.redhat.com/support/errata/RHSA-2011-0153.htmlhttp://www.securityfocus.com/archive/1/515172/100/0/threadedhttp://www.securityfocus.com/bid/45341http://www.securitytracker.com/id?1024859http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/http://www.ubuntu.com/usn/USN-1060-1http://www.vupen.com/english/advisories/2010/3171http://www.vupen.com/english/advisories/2010/3204http://www.vupen.com/english/advisories/2011/0135http://www.vupen.com/english/advisories/2011/0245http://www.vupen.com/english/advisories/2011/0364https://bugzilla.redhat.com/show_bug.cgi?id=662012http://bugs.exim.org/show_bug.cgi?id=1044http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.htmlhttp://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.htmlhttp://openwall.com/lists/oss-security/2010/12/10/1http://secunia.com/advisories/42576http://secunia.com/advisories/42930http://secunia.com/advisories/43128http://secunia.com/advisories/43243http://www.cpanel.net/2010/12/critical-exim-security-update.htmlhttp://www.debian.org/security/2010/dsa-2131http://www.debian.org/security/2011/dsa-2154http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.htmlhttp://www.kb.cert.org/vuls/id/758489http://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_formathttp://www.openwall.com/lists/oss-security/2021/05/04/7http://www.redhat.com/support/errata/RHSA-2011-0153.htmlhttp://www.securityfocus.com/archive/1/515172/100/0/threadedhttp://www.securityfocus.com/bid/45341http://www.securitytracker.com/id?1024859http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/http://www.ubuntu.com/usn/USN-1060-1http://www.vupen.com/english/advisories/2010/3171http://www.vupen.com/english/advisories/2010/3204http://www.vupen.com/english/advisories/2011/0135http://www.vupen.com/english/advisories/2011/0245http://www.vupen.com/english/advisories/2011/0364https://bugzilla.redhat.com/show_bug.cgi?id=662012https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-4345
2010-12-14
Published
2022-03-25
Added to CISA KEV
Exploited in the wild