CVE-2019-16928: Exim Vuln Exploit via EHLO Strings
Researchers found CVE-2019-16928, a vulnerability in mail transfer agent Exim. Exim accounts for over 50% of publicly reachable mail servers online, and threat actors can exploit it for denial of service (DoS) or remote code execution attacks (RCE).
In September, security researchers from the QAX-A-Team discovered the existence of CVE-2019-16928, a vulnerability involving the mail transfer agent Exim. Exim accounts for over 50% of publicly reachable mail servers on the internet. What makes the bug particularly noteworthy is that threat actors could exploit it to perform denial of service (DoS) or possibly even remote code execution attacks (RCE) — making it a serious concern for Exim customers who use vulnerable versions of the software.
The flaw exists in the following Exim versions (earlier versions are not affected):
In this entry, we explain how CVE-2019-16928 can be exploited, specifically, how introducing a heap-based buffer overflow error to the Exim process can be used to gain execution control of it.
The heap overflow
During execution in computer memory, local variables are stored in an area of the memory called the stack, which is responsible for storing local variables created by a function. On the other hand, dynamic variables, which are used to allocate and free memory during runtime, are stored in another area of the memory called the heap.
Each local variable points to its value in the heap, which basically means that it points to its memory address containing the value. When a string longer than the dedicated memory is used as an input, it overrides and changes the value in subsequent memory blocks in the heap. Figure 1 depicts this execution flow.
Figure 1. Memory representation during heap buffer overflow
In this scenario, Value 2 can be any string or backdoor command which can be executed during runtime — a process widely known as remote code execution.
Using EHLO strings to exploit the vulnerability
As defined by the Internet Engineering Task Force (IETF), the Extended HELO (EHLO) is a command sent by the email client to identify itself and inform the email server that it will use Extended Simple Mail Transfer Protocol (ESMTP) before starting the process of sending an email. It is through EHLO strings that a threat actor could exploit CVE-2019-16928 to perform malicious attacks, such as crashing the Exim process (resulting in DoS). Furthermore, a backdoor command used as an input for EHLO could lead to remote code execution.
This vulnerability is found in the method string_vformat() in string.c. Due to a coding error, the length of the string was not growing by enough, leading to a buffer overflow anomaly. The growth of the string is fixed by adding size from the offset value.
Figure 2. gstring_grow() invocation which allocates more memory to string
As seen in Figure 2, the statement highlighted in red is the flaw in the code. If the difference between g->ptr (the current pointer in string or offset) and (lim - g->ptr) is unreasonably low and the size of the appended string is larger than the allocated memory, then it can lead to heap overflow. A simple fix is found in the next statement.
Recommendations and Trend Micro solutions
As of the time of writing, Exim has already released an update (version 4.92.3) that includes fixes for CVE-2019-16928. To prevent any possible issues that might arise from the exploitation of the vulnerability, Exim users should update their software to the latest version.
To strengthen overall security posture further, organizations can also look into security software such as the Trend Micro™ Deep Discovery™ solution, which provides detection and in-depth analysis through specialized engines, custom sandboxing, and seamless correlation across the entire attack life cycle, allowing it to detect vulnerability-exploiting attacks even without engine or pattern updates.
This technology also includes the Trend Micro Deep Discovery Inspector, which protects customers from attacks that exploit CVE-2019-16928 via the following rule:
- Rule ID 4246: Possible CVE-2019-16928 - Exim Buffer Overflow Exploit - SMTP (Request)
The Trend Micro™ Deep Security™ solution also protect systems and users from threats targeting CVE-2019-16928 via the following Deep Packet Inspection (DPI) rule:
- 1010010 - Exim Remote Code Execution Vulnerability (CVE-2019-16928)
- 36283: SMTP: Exim Buffer Overflow Vulnerability