thr3ads.net - Pkg exim4 users - [Pkg-exim4-users] CVE-2010-4344 and Exim 4.69-9+lenny1 [Dec 2010]

If this information is useful, please help other people find it:
Share via:

Olivier Bonvalet

2010-Dec-14 09:49 UTC

[Pkg-exim4-users] CVE-2010-4344 and Exim 4.69-9+lenny1

Hi,

one of my debians was just "hacked", thought this Exim
vulnerabilities,
but Exim4 was already upgraded to the "4.69-9+lenny1_amd64" version.

We upgraded it on 12/11/2010 :

Aptitude 0.4.11.11: journal
sam, dec 11 2010 21:03:49 +0100

IMPORTANT : ce journal ne contient que les actions demand?es ; certaines 
actions qui
?chouent ? cause d''erreurs de dpkg peuvent donc ne pas ?tre r?alis?es.

12 paquets vont ?tre install?s, et 2 retir?s.
164ko d''espace disque vont ?tre lib?r?s
==============================================================================[SUPPRIM?,
NON UTILIS?] libdns55
[INSTALL?, D?PENDANCES] libdns58
[INSTALL?, D?PENDANCES] libisc50
[RETIR?, D?PENDANCES] libisc52
[MIS A JOUR] bind9-host 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
[MIS A JOUR] dnsutils 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
[MIS A JOUR] exim4 4.69-9 -> 4.69-9+lenny1
[MIS A JOUR] exim4-base 4.69-9 -> 4.69-9+lenny1
[MIS A JOUR] exim4-config 4.69-9 -> 4.69-9+lenny1
[MIS A JOUR] exim4-daemon-heavy 4.69-9 -> 4.69-9+lenny1
[MIS A JOUR] libbind9-50 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
[MIS A JOUR] libisccc50 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
[MIS A JOUR] libisccfg50 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
[MIS A JOUR] liblwres50 1:9.6.ESV.R1+dfsg-0+lenny2 -> 
1:9.6.ESV.R3+dfsg-0+lenny1
==============================================================================


And the attacker exploit the vulnerability on 12/14/2010 :

# stat /mnt/var/spool/exim4/s
   File: `/mnt/var/spool/exim4/s''
   Size: 9223          Blocks: 24         IO Block: 4096   fichier r?gulier
Device: fd02h/64770d    Inode: 65906       Links: 1
Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
Access: 2010-12-14 09:31:13.000000000 +0100
Modify: 2010-12-14 02:07:20.000000000 +0100
Change: 2010-12-14 02:07:20.000000000 +0100



2010-12-14 02:07:31 1PSJMZ-0007cg-Je <= root at pasbet.mrbinr.com U=root 
P=local S=4324
2010-12-14 02:07:31 1PSJMZ-0007cg-Je no immediate delivery: load average 
1.01
2010-12-14 02:08:09 Start queue run: pid=32248
2010-12-14 02:08:10 1PSJNC-0008Ow-0V <= root at pasbet.mrbinr.com 
H=localhost (pasbet.mrbinr.com) [127.0.0.1] P=esmtp S=5158 
id=E1PSJMZ-0007cg-Je at pasbet.mrbinr.com
2010-12-14 02:08:10 1PSJNC-0008Ow-0V no immediate delivery: load average 
1.45
2010-12-14 02:08:10 1PSJMZ-0007cg-Je => haubau123 at yahoo.com R=dkimproxy 
T=dkimproxy_smtp H=localhost [127.0.0.1]
2010-12-14 02:08:10 1PSJMZ-0007cg-Je Completed
2010-12-14 02:08:10 End queue run: pid=32248


Or maybe it''s a different problem ?
Do you need more informations, logs, files ?

Thanks,
Olivier Bonvalet

Andreas Metzler

2010-Dec-14 18:48 UTC

head link

[Pkg-exim4-users] CVE-2010-4344 and Exim 4.69-9+lenny1

On 2010-12-14 Olivier Bonvalet <debian-exim.list at daevel.fr>
wrote:> one of my debians was just "hacked", thought this Exim
> vulnerabilities, but Exim4 was already upgraded to the
> "4.69-9+lenny1_amd64" version.
> We upgraded it on 12/11/2010 :
[...]> And the attacker exploit the vulnerability on 12/14/2010 :
> # stat /mnt/var/spool/exim4/s
>   File: `/mnt/var/spool/exim4/s''
>   Size: 9223          Blocks: 24         IO Block: 4096   fichier r?gulier
> Device: fd02h/64770d    Inode: 65906       Links: 1
> Access: (4755/-rwsr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
> Access: 2010-12-14 09:31:13.000000000 +0100
> Modify: 2010-12-14 02:07:20.000000000 +0100
> Change: 2010-12-14 02:07:20.000000000 +0100
[...]> 2010-12-14 02:07:31 1PSJMZ-0007cg-Je <= root at pasbet.mrbinr.com
> U=root P=local S=4324
> 2010-12-14 02:07:31 1PSJMZ-0007cg-Je no immediate delivery: load
> average 1.01
> 2010-12-14 02:08:09 Start queue run: pid=32248
> 2010-12-14 02:08:10 1PSJNC-0008Ow-0V <= root at pasbet.mrbinr.com
> H=localhost (pasbet.mrbinr.com) [127.0.0.1] P=esmtp S=5158
> id=E1PSJMZ-0007cg-Je at pasbet.mrbinr.com
> 2010-12-14 02:08:10 1PSJNC-0008Ow-0V no immediate delivery: load
> average 1.45
> 2010-12-14 02:08:10 1PSJMZ-0007cg-Je => haubau123 at yahoo.com
> R=dkimproxy T=dkimproxy_smtp H=localhost [127.0.0.1]
> 2010-12-14 02:08:10 1PSJMZ-0007cg-Je Completed
> 2010-12-14 02:08:10 End queue run: pid=32248
> Or maybe it''s a different problem ?
> Do you need more informations, logs, files ?
Hello,

I (would like to) think that the actual break-in happened before you
upgraded the system and the attacker installed a backdoor.

The exim logfile snippet above shows that the local user root invoked
exim to send a mail. 

cu andreas

-- 
`What a good friend you are to him, Dr. Maturin. His other friends are
so grateful to you.''
`I sew his ears on from time to time, sure''

Pkg exim4 users - Dec 2010 - CVE-2010-4344 and Exim 4.69-9+lenny1

[Pkg-exim4-users] CVE-2010-4344 and Exim 4.69-9+lenny1

[Pkg-exim4-users] CVE-2010-4344 and Exim 4.69-9+lenny1