Attackers have begun using the bug in the Exim mailer that was disclosed earlier this week to install a rootkit on machines running vulnerable versions of the software.
The vulnerability in Exim, which is a mail transfer agent used on Unix-based machines, came to light on Monday and can result in remote code execution. US-CERT said in an advisory on Monday that the bug already was being exploited in the wild by the time it was disclosed.
“The internal string handling functions of the Exim software contain a function called string_format().
The version of this function included with Exim versions prior to 4.70
contains a flaw that can result in a buffer overflow. An attacker can
exploit this vulnerability by crafting message headers that are
subsequently supplied to Exim logging functions,” the advisory said.
Several users running Debian Linux said in a discussion thread on Reddit that they’d found a rootkit on some of their machines that were running vulnerable versions of Exim. The malware installs itself and creates some temporary files. Here’s a description of the rootkit’s behavior:
To get in, it created a number of temporary files in
/var/spool/exim4, including a small C program which it compiled and
setuid to get root access and run a shell as root:
-rw------- 1 Debian-exim Debian-exim 117 Dec 15 16:41 a.conf
-rw------- 1 Debian-exim Debian-exim 119 Dec 15 16:41 e.conf
drwxr-xr-x 3 root root 75 Dec 16 18:00 rk
-rw------- 1 root root 4421289 Dec 15 20:13 rk.tgz
-rw-r--r-- 1 root root 0 Dec 16 13:26 s
-rw-r--r-- 1 root root 0 Dec 16 13:26 s.c
-rwsr-xr-x 1 root root 6764 Dec 15 23:29 setuid
-rw------- 1 Debian-exim Debian-exim 3120 Dec 15 16:41 setuid.1
-rw------- 1 Debian-exim Debian-exim 130 Dec 15 16:41 setuid.c
Note that the rk directory contained the installer for the root kit.
Other users also noted seeing the same kind of malware on their Debian machines. One of the signs that users noticed that led them to find the infections was that their email stopped working.
The bug has been fixed in new version of Exim. The latest version can be downloaded on the Exim site.