Exim < 4.86.2 Local Root Privilege Escalation

Posted on Posted in Exim

Description: When Exim installation has been compiled with Perl support and contains a perl_startup configuration variable it can be exploited by malicious local attackers to gain root privileges.
perl_startup is usually used to load various helper scripts such as mail filters, gray listing scripts, mail virus scanners etc.

To perform the attack, attacker can take advantage of the exim's sendmail interface which links to an exim binary that has an SUID bit set on it by default as we can see below:

[email protected] ~]$ ls -l /usr/sbin/sendmail.exim
lrwxrwxrwx. 1 root root 4 Nov 30 00:45 /usr/sbin/sendmail.exim -> exim

[[email protected] ~]$ ls -l /usr/sbin/exim -rwsr-xr-x. 1 root root 1222416 Dec 7 2015 /usr/sbin/exim

Affected versions: Exim < 4.86.2

Solution: Update to Exim 4.86.2

Origin URLs:

Other references:

Leave a Reply

Your email address will not be published. Required fields are marked *