The internal string handling functions of the Exim software contain a function called string_format(). The version of this function included with Exim versions prior to 4.70 contains a flaw that can result in a buffer overflow. This module exploits the vulnerability to install an agent. Additionally, this module also attempts to exploit the Alternate Configuration Privilege Escalation Vulnerability in Exim (CVE-2010-4345). If the second exploit is successful, the agent is installed with root privileges.
The internal string handling functions of the Exim software contain a function called string_format(). The version of this function included with Exim versions prior to 4.70 contains a flaw that can result in a buffer overflow. This module exploits the vulnerability to run commands as the "Debian-exim" user. Afterwards, this module attempts to exploit the Alternate Configuration Privilege Escalation Vulnerability (CVE-2010-4345). If the second exploit is successful, an agent is installed with root privileges.
This module is a port to Python of the Metasploit module developed by Qualys for CVE-2015-0235. This module remotely exploits CVE-2015-0235 (a.k.a. GHOST, a heap-based buffer overflow in the GNU C Library's gethostbyname functions) on x86 and x86_64 GNU/Linux systems that run the Exim mail server. Technical information about the exploitation can be found in the original GHOST advisory, and in the source code of this module. SERVER-SIDE REQUIREMENTS (Exim) Summary: if this module's "check" or "exploit" method determines that a remote system is vulnerable, it is probably also exploitable. The remote system must use a vulnerable version of the GNU C Library: the first exploitable version is glibc-2.6, the last exploitable version is glibc-2.17; older versions might be exploitable too, but this module depends on the newer versions' fd_nextsize (a member of the malloc_chunk structure) to remotely obtain the address of Exim's smtp_cmd_buffer in the heap. The remote system must run the Exim mail server: the first exploitable version is exim-4.77; older versions might be exploitable too, but this module depends on the newer versions' 16-KB smtp_cmd_buffer to reliably set up the heap as described in the GHOST advisory. The remote Exim mail server must be configured to perform extra security checks against its SMTP clients: either the helo_try_verify_hosts or the helo_verify_hosts option must be enabled; the "verify = helo" ACL might be exploitable too, but is unpredictable and therefore not supported by this module. CLIENT-SIDE REQUIREMENTS (Impact) Summary: this module's "exploit" method requires the SENDER_HOST_ADDRESS option to be set to the IPv4 address of the SMTP client (), as seen by the SMTP server (Exim); additionally, this IPv4 address must have both forward and reverse DNS entries that match each other (Forward-Confirmed reverse DNS). The remote Exim server might be exploitable even if the Impact client has no FCrDNS, but this module depends on Exim's sender_host_name variable to be set in order to reliably control the state of the remote heap. TROUBLESHOOTING "bad SENDER_HOST_ADDRESS (nil)" failure: the SENDER_HOST_ADDRESS option was not specified. "bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)" failure: the SENDER_HOST_ADDRESS option was specified, but not in IPv4 dotted-decimal notation. "bad SENDER_HOST_ADDRESS (helo_verify_hosts)" or "bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)" failure: the SENDER_HOST_ADDRESS option does not match the IPv4 address of the SMTP client (Impact), as seen by the SMTP server (Exim). "bad SENDER_HOST_ADDRESS (no FCrDNS)" failure: the IPv4 address of the SMTP client (Impact) has no Forward-Confirmed reverse DNS. "not vuln? old glibc? (no leaked_arch)" failure: the remote Exim server is either not vulnerable, or not exploitable (glibc versions older than glibc-2.6 have no fd_nextsize member in their malloc_chunk structure). "NUL, CR, LF in addr? (no leaked_addr)" failure: Exim's heap address contains bad characters (NUL, CR, LF) and was therefore mangled during the information leak; this exploit is able to reconstruct most of these addresses, but not all (worst-case probability is ~1/85, but could be further improved). "Brute-force SUCCESS" followed by a nil reply, but no shell: the remote Unix command was executed, but spawned a bind-shell or a reverse-shell that failed to connect (maybe because of a firewall, or a NAT, etc). "Brute-force SUCCESS" followed by a non-nil reply, and no agent: the remote Unix command was executed, but failed to install an agent (maybe because the setsid command doesn't exist, or awk isn't gawk, or netcat doesn't support the -6 or -e option, or telnet doesn't support the -z option, etc).
This module exploits a remote PHP code injection vulnerability in Elastix PBX by uploading a renamed PHP file and leveraging a local file inclusion vulnerability to execute the PHP file. It also exploits a bad configuration in the /etc/sudoers file to elevate privileges from 'asterisk' user to 'root'.
Distcc, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks. This module exploits the vulnerability to install an agent.
ISC DHCPD versions 3.0.1rc12 and 3.0.1rc13 contain an exploitable buffer overflow. This exploit, abuses the buffer overflow to create a format string like vulnerability, which in turn is used to write all the agent code to a known location and then overwrite a GOT entry with a pointer to that code. The dhcpd service doesn't fork, hence, if any of the numbers which must be guessed are missed, the service will die. There are mainly two values which must be guessed: The direct parameter access number for the format string, which is hardcoded to 42, and if wrong will surely make the service crash, and the GOT address, which if missed may make the service crash, but more likely will just make the exploit fail. This exploit first tries all the known GOT addresses corresponding to default installations and RPMs (see supported system notes). If this addresses fail to install the agent, the exploit will finish unsuccessfully.
Subscribe to Linux