cbcvebase.
CVE-2016-1531
published 2016-04-07

CVE-2016-1531: Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.

PriorityP345high7CVSS 3.0
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
5.90%
92.3th percentile
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.

Affected

2 ranges
VendorProductVersion rangeFixed in
debianexim4< exim4 4.86.2-1 (bookworm)exim4 4.86.2-1 (bookworm)
eximexim<= 4.86

Detection & IOCsextracted from sources · hover to see the quote

commandPERL5OPT=-d PERL5DB='exec "<payload>"' exim -ps 2>&-
commandPERL5OPT="-d/dev/null" /usr/sbin/sendmail.exim -ps victim@localhost
commandPERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
path/tmp/root.pm
path/usr/sbin/exim
path/usr/exim/bin/exim
  • Alert on creation of /tmp/root.pm, which is the malicious Perl module dropped by the shell-script PoC exploit for CVE-2016-1531.
  • Monitor for the PERL5DB environment variable being set on exim process invocations, particularly containing 'exec' — this is the Metasploit technique for arbitrary command execution.
  • Check whether the Exim binary is setuid root and compiled with Perl support; both conditions are required for exploitation.
  • Verify Exim configuration for the presence of 'perl_startup' directive; exploitation requires this option to be set in /etc/exim/exim.conf or /etc/exim4/exim.conf.
  • Audit Exim Perl support at runtime using 'exim -bV -v | grep -i Perl'; presence of 'Perl' in support flags indicates the binary is vulnerable if perl_startup is configured.
  • ·Exploitation requires 'perl_startup' to be defined in the Exim main configuration file. Default configurations without this directive are NOT vulnerable.
  • ·The file referenced by perl_startup does not need to exist on disk for the vulnerability to be exploitable — only the path must be specified in the config.
  • ·The Ubuntu fix introduces full execution environment cleaning on Exim startup (including subprocesses/transports). This may break existing installations; use the new 'keep_environment' and 'add_environment' config options to adjust.

CVSS provenance

nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.0HIGH
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
vendor_ubuntu4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.