Attackers Exploiting Exim Bugs with Rootkit

    Date20 Dec 2010
    Posted ByAnthony Pell
    Attackers are already exploiting a bug in the Exim mailer to remotely execute code on compromised Linux machines, according to a pair of Linux security advisories. Posted on US-Cert as Vulnerability Note VU #682457, the bug exists in Exim mail server software prior to version 4.70. Affected systems include Debian Linux, Novell's SUSE Linux, and Canonical's Ubuntu Linux. Exim is a mail transfer agent popularly used on Unix-based machines.

    "The internal string handling functions of the Exim software contain a function called string_format(). The version of this function included with Exim versions prior to 4.70 contains a flaw that can result in a buffer overflow. An attacker can exploit this vulnerability by crafting message headers that are subsequently supplied to Exim logging functions," wrote Chad Dougherty on the US-CERT list.

    When a rootkit is installed on a machine running the older version of Exim, the malware creates a number of temporary files, including a small C program. An attacker can remotely compile the program. When executed, it runs using Exim server's privileges.

    While bad, it's not as bad as running as root, except for the fact there is yet another Exim bug.

    You are not authorised to post comments.

    LinuxSecurity Poll

    Has your email account ever been pwned in a data breach?

    No answer selected. Please try again.
    Please select either existing option or enter your own, however not both.
    Please select minimum 0 answer(s) and maximum 2 answer(s).

    We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.