| 1 |
On Jan 31, 2015 11:57 PM, "Adam Carter" <adamcarter3@×××××.com> wrote: |
| 2 |
> |
| 3 |
> |
| 4 |
>> > Do they need telnet or ssh access, |
| 5 |
>> |
| 6 |
|
| 7 |
Not telnet shell but this could be triggered with telnet/nc or even nmap, |
| 8 |
hping, or tcpreplay - all of which could send an arbitrary payload to tcp |
| 9 |
or udp ports. |
| 10 |
|
| 11 |
>> I don't understand this obsession with ssh or telnet. Remote code |
| 12 |
>> execution means that malicious party can execute any code on |
| 13 |
>> affected system. |
| 14 |
> |
| 15 |
> |
| 16 |
> To elaborate, since exim is an SMTP server it will be listening on |
| 17 |
TCP/25. All the attacker needs to do is run an SMTP command that will |
| 18 |
prompt exim to perform a lookup on a very long FQDN. The first command an |
| 19 |
SMTP client issues to an SMTP server is 'HELO <some FQDN>'. Exim can be |
| 20 |
configured to check if that the FQDN is valid, as a way of trying to |
| 21 |
distinguish spammers from valid mail servers. So here we have a situation |
| 22 |
where a security control happens to make the server less secure, and we |
| 23 |
have all that's required for exploitation in a nice package. |
| 24 |
|
| 25 |
Afaik, all remote attacks pretty much work the same. The example I'm sure |
| 26 |
most of us have seen is with http (especially since shellshock - right? - |
| 27 |
if not look up an example). You send a command to the server and then do |
| 28 |
something it isn't expecting. You can also see this all the time with php |
| 29 |
apps and options to do stuff in the app that wasn't intended. Half the time |
| 30 |
http stuff is base64 encoded - that's fine since the server natively |
| 31 |
decodes that. |
| 32 |
|
| 33 |
So here you have an api call that does something unexpected - IIRC it was a |
| 34 |
bounds issue. So once you figure out what the problem is, you look for apps |
| 35 |
that make the call in a way that could trigger the bug. Then you compile |
| 36 |
the program with debug symbols, step through it and try to trigger your |
| 37 |
exploit. After you get it working there locally you figure out how to to |
| 38 |
get that same bit of code to fire with that same malformed bit remotely. |
| 39 |
You keep in mind that if you're going at something at the tcp level, the |
| 40 |
packet still needs to be routed or broadcasted, and if you're going at |
| 41 |
something at the application layer (most remote code is here) you need to |
| 42 |
conform to the protocol until you're ready to trigger your evil bit (ie, |
| 43 |
you generally want to say hi to someone before you go into an explanation |
| 44 |
of how messed up they are - right?). Most services will end the connection |
| 45 |
or just sit there erroring until some timeout or whatever unless you start |
| 46 |
with their "hi" or a proper command. After that, have fun - you're on |
| 47 |
someone else's system - whether you do something evil or not, their system |
| 48 |
is processing what you sent <-- is the whole point of everything else I |
| 49 |
wrote and something worth remembering. Think of a shell as a REPL |
| 50 |
(Wikipedia) and every other protocol as an interpreter waiting to execute |
| 51 |
whatever you give it (or error out as most unfinished programs do). |
| 52 |
|
| 53 |
As for this, there's multiple places an email server *might* want to verify |
| 54 |
different positions of a domain. In the hello line, From, domainkey, etc. |
| 55 |
If that vulnerable part of exim code is executed trying to check something |
| 56 |
and you give it some evil bits (0s with 3 or less dots (.)), you might own |
| 57 |
a free server. |
| 58 |
|
| 59 |
HTH |
Archives