Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Fri, 10 Dec 2010 09:48:20 +0000 (GMT)
From: Mark J Cox <>
cc: "Steven M. Christey" <>
Subject: Exim remote root

A number of sites are reporting an exim remote root based from this

Quoting David Woodhouse: "There are two bugs here. First a remote exploit 
where the attacker somehow tricks Exim into evaluating data it shouldn't, 
and honouring a ${run {/bin/sh...}} directive which ends up giving the 
attacker a shell (as user 'exim').

Secondly a privilege escalation where the trusted 'exim' user is able to 
tell Exim to use arbitrary config files, in which further ${run ...} 
commands will be invoked as root."

The remote vulnerability is still being investigated.  However it is worth 
allocating the CVE names now to help with co-ordination.

CVE-2010-4344 exim vuln that allows remote code execution as 'exim'
CVE-2010-4345 exim vuln that allows privilege escalation 'exim' to root

A patch for CVE-2010-4345:

Thanks, Mark
Mark J Cox / Red Hat Security Response

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ