Description: When Exim installation has been compiled with Perl support and contains a
perl_startup configuration variable it can be exploited by malicious local attackers to gain root privileges.
perl_startup is usually used to load various helper scripts such as mail filters, gray listing scripts, mail virus scanners etc.
To perform the attack, attacker can take advantage of the exim's sendmail interface which links to an exim binary that has an SUID bit set on it by default as we can see below:
[email protected] ~]$ ls -l /usr/sbin/sendmail.exim lrwxrwxrwx. 1 root root 4 Nov 30 00:45 /usr/sbin/sendmail.exim -> exim
[[email protected] ~]$ ls -l /usr/sbin/exim -rwsr-xr-x. 1 root root 1222416 Dec 7 2015 /usr/sbin/exim
Affected versions: Exim < 4.86.2
Solution: Update to Exim 4.86.2