Vulnerability

Note: Some details were removed to prevent simple recreation of exploit.

Affected software: DirectAdmin Exim BlockCracking versions below 1.12

DirectAdmin Exim BlockCracking is using ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒ ▒▒ ▒▒ ▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒ ▒▒ ▒ ▒▒▒▒▒ ▒▒▒▒▒▒▒, allowing user to execute any command as mail user.

Exploit

If user triggers the following condition in /etc/exim.blockcracking/script.conf ▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒:

▒▒▒▒▒▒▒▒ ▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒ ▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒ ▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒

he can control commands executed by mail user using ▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒, e.g.:

▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒

If ▒▒▒▒▒▒▒ ▒▒▒▒▒▒ ▒▒▒▒▒ ▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒, sleep command will be executed as mail user:

mail 1301 0.0 0.0 11692 1356 ? S 12:29 0:00 ▒ ▒▒ ▒▒▒▒▒▒▒ ▒▒ ▒▒▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒▒▒▒ ▒▒▒▒▒▒ ▒▒▒▒ ▒▒ ▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒
mail 1302 0.0 0.0  4364  356 ? S 12:29 0:00     | \_ sleep 1337

Solution

Update BlockCracking to version 1.12 or later and exim.pl version 29 or later.

Timeline

  • 2020-02-17 - Vulnerability reported to vendor.
  • 2020-02-18 - Response from vendor and initial fix proposition.
  • 2020-02-19 - Reported fix bypass to vendor.
  • 2020-02-20 - Further discussion about fix.
  • 2020-02-21 - BlockCracking 1.12 and exim.pl version 29 released with vulnerability fixed.