1 |
On Jan 31, 2015 11:57 PM, "Adam Carter" <adamcarter3@×××××.com> wrote: |
2 |
> |
3 |
> |
4 |
>> > Do they need telnet or ssh access, |
5 |
>> |
6 |
|
7 |
Not telnet shell but this could be triggered with telnet/nc or even nmap, |
8 |
hping, or tcpreplay - all of which could send an arbitrary payload to tcp |
9 |
or udp ports. |
10 |
|
11 |
>> I don't understand this obsession with ssh or telnet. Remote code |
12 |
>> execution means that malicious party can execute any code on |
13 |
>> affected system. |
14 |
> |
15 |
> |
16 |
> To elaborate, since exim is an SMTP server it will be listening on |
17 |
TCP/25. All the attacker needs to do is run an SMTP command that will |
18 |
prompt exim to perform a lookup on a very long FQDN. The first command an |
19 |
SMTP client issues to an SMTP server is 'HELO <some FQDN>'. Exim can be |
20 |
configured to check if that the FQDN is valid, as a way of trying to |
21 |
distinguish spammers from valid mail servers. So here we have a situation |
22 |
where a security control happens to make the server less secure, and we |
23 |
have all that's required for exploitation in a nice package. |
24 |
|
25 |
Afaik, all remote attacks pretty much work the same. The example I'm sure |
26 |
most of us have seen is with http (especially since shellshock - right? - |
27 |
if not look up an example). You send a command to the server and then do |
28 |
something it isn't expecting. You can also see this all the time with php |
29 |
apps and options to do stuff in the app that wasn't intended. Half the time |
30 |
http stuff is base64 encoded - that's fine since the server natively |
31 |
decodes that. |
32 |
|
33 |
So here you have an api call that does something unexpected - IIRC it was a |
34 |
bounds issue. So once you figure out what the problem is, you look for apps |
35 |
that make the call in a way that could trigger the bug. Then you compile |
36 |
the program with debug symbols, step through it and try to trigger your |
37 |
exploit. After you get it working there locally you figure out how to to |
38 |
get that same bit of code to fire with that same malformed bit remotely. |
39 |
You keep in mind that if you're going at something at the tcp level, the |
40 |
packet still needs to be routed or broadcasted, and if you're going at |
41 |
something at the application layer (most remote code is here) you need to |
42 |
conform to the protocol until you're ready to trigger your evil bit (ie, |
43 |
you generally want to say hi to someone before you go into an explanation |
44 |
of how messed up they are - right?). Most services will end the connection |
45 |
or just sit there erroring until some timeout or whatever unless you start |
46 |
with their "hi" or a proper command. After that, have fun - you're on |
47 |
someone else's system - whether you do something evil or not, their system |
48 |
is processing what you sent <-- is the whole point of everything else I |
49 |
wrote and something worth remembering. Think of a shell as a REPL |
50 |
(Wikipedia) and every other protocol as an interpreter waiting to execute |
51 |
whatever you give it (or error out as most unfinished programs do). |
52 |
|
53 |
As for this, there's multiple places an email server *might* want to verify |
54 |
different positions of a domain. In the hello line, From, domainkey, etc. |
55 |
If that vulnerable part of exim code is executed trying to check something |
56 |
and you give it some evil bits (0s with 3 or less dots (.)), you might own |
57 |
a free server. |
58 |
|
59 |
HTH |