7.5
CVSSv2

CVE-2019-10149

Published: 05/06/2019 Updated: 11/06/2019
CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10
CVSS v3 Base Score: 9.8 | Impact Score: 5.9 | Exploitability Score: 3.9
VMScore: 762
Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Vulnerability Summary

Exim could allow a remote malicious user to execute arbitrary code on the system. An attacker could exploit this vulnerability to execute arbitrary code on the system.

Vulnerability Trend

Affected Products

Vendor Product Versions
EximExim4.87, 4.91

Vendor Advisories

Exim could be made to run commands if it received specially crafted network traffic ...
The Qualys Research Labs reported a flaw in Exim, a mail transport agent Improper validation of the recipient address in the deliver_message() function may result in the execution of arbitrary commands For the stable distribution (stretch), this problem has been fixed in version 489-2+deb9u4 We recommend that you upgrade your exim4 packages Fo ...
A flaw was found in Exim versions 487 to 491 before release 120 (inclusive) Improper validation of recipient address in deliver_message() function in /src/deliverc may lead to remote command execution (CVE-2019-10149 ) ...
A flaw was found in the way exim validated recipient addresses A remote attacker could use this flaw to execute arbitrary commands on the exim server with the permissions of the user running the application ...

Exploits

Qualys Security Advisory The Return of the WIZard: RCE in Exim (CVE-2019-10149) ======================================================================== Contents ======================================================================== Summary Local exploitation Remote exploitation - Non-default configurations - Default configuration Acknowledgm ...
#!/bin/bash # # raptor_exim_wiz - "The Return of the WIZard" LPE exploit # Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeefinfo> # # A flaw was found in Exim versions 487 to 491 (inclusive) # Improper validation of recipient address in deliver_message() # function in /src/deliverc may lead to remote command execution # (CVE-2019-10 ...

Mailing Lists

Exim versions 487 through 491 suffer from a local privilege escalation vulnerability ...
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4456-1 security () debian org wwwdebianorg/security/ Salvatore Bonaccorso June 05, 2019 wwwdebianorg/security/faq ...
Qualys Security Advisory The Return of the WIZard: RCE in Exim (CVE-2019-10149) ======================================================================== Contents ======================================================================== Summary Local exploitation Remote exploitation - Non-default configurations - Default configuration Acknowledgm ...
Hi, our non-public security Git repo is ssh://git () git exim org/eximgit Access is granted to the known and trusted SSH keys we have The branch fix-CVE-2019-10149 contains the fix It is one commit ahead of the exim-4_91+fixes branch and we'll eventuelly merge it into the +fixes branch The relevant commit is d740d2111f189760593a303124f ...
CVE-2019-10149 Exim 487 to 491 ================================ We received a report of a possible remote exploit Currently there is no evidenice of an active use of this exploit A patch exists already, is being tested, and backported to all versions we released since (and including) 487 The severity depends on your configuration It dep ...
The fix for CVE-2019-10149 is public now giteximorg/eximgit Branch exim-4_91+fixes Thank you to - Qualys for reporting it - Jeremy for fixing it - you for using Exim Sorry for confusion about the public release We were forced to react, as details leaked The patch should apply cleanly to all affected version ...
Hi, On Thu, Jul 25, 2019 at 08:54:55PM +0200, Kristian Fiskerstrand wrote: You have two entries for Exim CVE-2019-10149, which is wrong Also, some of the dates are wrong (eg, the date of Exim's pre-announcement to oss-security is irrelevant) Please combine this into one entry and update the dates I guess the range of dates should be from ...
Hi all, On Wed, Jun 05, 2019 at 05:19:44PM +0200, Heiko Schlittermann wrote: As per the distros list policy: Below is an abridged version of our advisory (with all the vulnerability details, but without exploitation details); we will publish the complete version in 24 hours, or as soon as third-party exploits are published, whichever happens fi ...
Qualys Security Advisory The Return of the WIZard: RCE in Exim (CVE-2019-10149) ======================================================================== Contents ======================================================================== Summary Local exploitation Remote exploitation - Non-default configurations - Default configuration Acknowledgm ...

Github Repositories

PoC-CVE-2019-10149_Exim MNEMO-CERT ha desarrollado una PoC que permite ejecutar comandos con permisos elevados mediante el aprovechamiento de la vulnerabilidad CVE-2019-10149, que afecta distintas versiones de Exim (487 - 491) Para realizar el aprovechamiento local de esta vulnerabilidad es necesario definir el comando que se desea ejecutar Por otro lado, para el caso remot

CVE-2019-10149 privilege escalation "poc"

StickyExim An Email HoneyPot Features Easy to deploy The install scripts does all the work Abuse report are atomaticlly created and sent to the attacking IP owner Abuse reports are stored with a hash at time of creation incase needed later Requirements Domain names One real domain you use for normal email Example: myrealdomaincom One domain for the HoneyPot(s) E

eximrce Simple python socket connection to test if exim is vulnerable to CVE-2019-10149 The payload simply touch a file in /root/lweximtest Output will be slow depending on server's reply and not knowing how to properly use python's socket module Would love a lesson on how to speed it up Only tested on cPanel boxes Run locally on suspected server This checks for

CVE-2019-10149-quick Simple Bash shell quick fix CVE-2019-10149

eximrce Simple python socket connection to test if exim is vulnerable to CVE-2019-10149 The payload simply touch a file in /root/lweximtest Output will be slow depending on server's reply and not knowing how to properly use python's socket module Would love a lesson on how to speed it up Only tested on cPanel boxes Run locally on suspected server This checks for

Exploits Miscellaneous proof of concept exploit code for testing purposes Current Exploits Strato HiDrive <= 5010 LPE (CVE-2019-9486) Exim 487 < 491 LPE (CVE-2019-10149) Licence See individual exploits for their respective licences Bug Reports I'll take the quality of our exploit code very seriously If you find a bug, or an edge case where an exploi

Libaz Recently someone used a known Exim exploit CVE-2019-10149 on a unpatched server We found out very fast due to Exim not being able to boot We secured as much of the trail as we could to maybe help you deal with this yourself The infection A infected email was sent to the server which performed a malicious download and install of a script We noticed an entry like this i

exploits "You can't argue with a root shell" -- Felix "FX" Lindner Linux raptor_chownc Linux 26x < 267-rc3 (CVE-2004-0497) Missing DAC controls in sys_chown() on Linux raptor_prctlc Linux 26x from 2613 up to versions before 26174 (CVE-2006-2451) Suid_dumpable bug raptor_prctl2c Linux 26x from 2613 up to versions bef

Recent Articles

Hackers Exploit Jira, Exim Linux Servers to "Keep the Internet Safe'
BleepingComputer • Sergiu Gatlan • 22 Jul 2019

Hackers are exploiting vulnerable Jira and Exim servers with the end goal of infecting them with a new Watchbog Linux Trojan variant and using the resulting botnet as part of a Monero cryptomining operation.
Watchbog is a malware strain used to infect Linux servers by exploiting vulnerable software such as Jenkins during a campaign from May, as well as Nexus Repository Manager 3, ThinkPHP, and Linux Supervisord as part of an operation from March as discovered by Alibaba Cloud Securit...

Microsoft Warns about Worm Attacking Exim Servers on Azure
BleepingComputer • Lawrence Abrams • 17 Jun 2019

Microsoft issued a warning over the weekend about an active Linux worm that is targeting a recently disclosed Linux Exim mail server vulnerability. Though existing mitigations exist to block the worm functionality of this infection, Microsoft states that Azure servers can still be infected or hacked through this vulnerability.
Exim is a very popular mail server software, or message transfer agent (MTA), that is used to send and receive email for its users. Recently, the CVE-2019-10149...

Millions of Linux Servers Under Worm Attack Via Exim Flaw
Threatpost • Lindsey O'Donnell • 14 Jun 2019

A widespread campaign is exploiting a vulnerability in the Exim mail transport agent (MTA) to gain remote command-execution on victims’ Linux systems. Researchers say that currently more than 3.5 million servers are at risk from the attacks, which are using a wormable exploit.
Specifically under attack is a flaw in Exim-based mail servers, which run almost 57 percent of the internet’s email servers. Attackers are exploiting the flaw, discovered last week, to take control of the victim ...

Millions of Exim Mail Servers Are Currently Being Attacked
BleepingComputer • Sergiu Gatlan • 13 Jun 2019

Millions of mail servers running vulnerable Exim mail transfer agent (MTA) versions are currently under siege, with attackers gaining permanent root access via SSH to the exploited machines according to security researchers.
The flaw tracked as CVE-2019-10149 and named "The Return of the WIZard" by Qualys, the research outfit which discovered it, makes it possible for attackers to remotely run arbitrary commands as root — in most cases — on exposed servers after exploitation.
...

Critical bug found in popular mail server software
welivesecurity • Tomáš Foltýn • 07 Jun 2019

Exim, the popular mail transfer agent (MTA) software, contains a critical-rated vulnerability that can, in some scenarios, enable remote attackers to run commands of their choice on unpatched mail servers, researchers from Qualys have found.
Tracked under CVE-2019-10149, the remote command execution flaw impacts Exim installations 4.87 through 4.91. The bug was fixed with the latest version (4.92) of the open-source software, albeit, by all accounts, unknowingly. According to Qualys, the i...

Millions of Exim Mail Servers Exposed to Local, Remote Attacks
BleepingComputer • Sergiu Gatlan • 06 Jun 2019

A critical severity vulnerability present in multiple versions of the Exim mail transfer agent (MTA) software makes it possible for unauthenticated remote attackers to execute arbitrary commands on mail servers for some non-default server configurations.
The flaw impacts Exim versions 4.87 to 4.91 and it is caused by the improper validation of recipient addresses in the deliver_message() function in /src/deliver.c which leads to RCE with root privileges on the mail server.
"In this...