There exists a Use-after-free (UAF) vulnerability in tls-openssl.c that allow remote unauthenticated attackers to corrupt internal memory data, thus finally achieving remote code execution.

Primitives:

Memory Leakage
Arbitrary read primitive
Write-What-Where primitive

With the use of all those primitives chained together it is possible to fully bypass all the available exploit mitigations finally ending up on a remote code execution as the exim user.

This vulnerability has been released among a huge list of vulnerabilities, the official Qualys report chains the Use-After-Free with CVE-2020-28008 to perform a Local Privilege Escalation (LPE) once RCE has been achieved.

Pre-requisites

The exim, should be configured / compiled in the following way:

TLS is enabled
OpenSSL is used (instead of GnuTLS)
Exim is one of the vulnerable versions
X_PIPE_CONNECT is disabled

You can use the checker.py script to check if a remote server is on a vulnerable version and has some needed requisites for it to be exploitable.

[!] checker.py does NOT trigger the vulnerability, just checks for vulnerable version, check if PIPELINING and TLS are enabled. This means this checker does not check for patch, which means that it can generate false positives.

Analysis and Exploitation of CVE-2020-28018

If you want more detais about this vulnerability and how to exploit it, check this post.

System Information

The tests have been performed in a debian:

root@research:~# lsb_release -a
No LSB modules are available.
Distributor ID:	Debian
Description:	Debian GNU/Linux 10 (buster)
Release:	10
Codename:	buster

With exim version:

root@research:~# exim --version
Exim version 4.92 #7 built 06-May-2021 19:31:44
Copyright (c) University of Cambridge, 1995 - 2018
(c) The Exim Maintainers and contributors in ACKNOWLEDGMENTS file, 2007 - 2018
Berkeley DB: Berkeley DB 5.3.28: (September  9, 2013)
Support for: crypteq iconv() OpenSSL DANE DKIM DNSSEC Event OCSP PRDR TCP_Fast_Open
Lookups (built-in): lsearch wildlsearch nwildlsearch iplsearch cdb dbm dbmjz dbmnz dnsdb passwd
Authenticators: cram_md5 plaintext
Routers: accept dnslookup ipliteral manualroute queryprogram redirect
Transports: appendfile/maildir/mailstore autoreply lmtp pipe smtp
Fixed never_users: 0
Configure owner: 0:0
Size of off_t: 8
Configuration file is /var/lib/exim4/config.autogenerated

My Exim version is self-compiled, but replicating compilation flags used on mainstream at debian.

Configuration is the same as the debian default plus some minor changes maybe.

Set up Environment

In this repository, there is a directory called exim-4.92. It is the source code for exim.

First install exim with the apt package manager.

Download the exim directory and the config directory into the machine.

First copy config/Makefile into exim-4.92/Local. Then copy config/eximon.conf into exim-4.92/Local.

Now we run make, a build-linux-* directory will be created, we will move to it and replace all the "-O2" occurrences for "-O0".

We will do the same on the OS/ directory. Finally at the build-linux-* we add to the CFLAGS variable the -g.

Recommended to add the libc and exim source to gdb.

Now make and make install.

cp /usr/exim/bin/* /usr/sbin/ cp /usr/sbin/exim /usr/sbin/exim4

I used this script for generating certs: https://github.com/volumio/RootFS/blob/master/usr/share/doc/exim4-base/examples/exim-gencert

Finally enable TLS on the exim4 configuration at /etc/exim4 and use the /etc/exim4/exim.crt and /etc/exim4/exim.key generated by the bash script.

Finally: sudo update-exim4.conf && systemctl restart exim4

Check systemctl status exim4 to see if everything is right.

If you get a TLS not currently available error message after trying to STARTTLS, check out exim4 logs.

I faced a problem because the key I used for certs was too short. So modify the key bits from the previously mentioned gencert script (I use 4096).

More Information

For more information visit the official qualys advisory