Date: June 2024
Author: [Your Name]
Exim, a widely used mail transfer agent (MTA), recently got hit by CVE-2024-39929, a vulnerability lurking in versions up to 4.97.1. This security hole can let attackers sneak dangerous email attachments into users’ inboxes, sidestepping mechanisms meant to keep harmful files out — all thanks to how Exim misinterprets certain email headers when they span multiple lines.
Below, we'll break down what this bug means, how attackers could exploit it, and what you need to do to stay safe.
What’s the Vulnerability?
In simple terms: Exim fails to correctly read email headers that use the RFC 2231 standard for specifying parameters (like file names) over several lines. Attackers can craft an email so Exim doesn’t spot the evil in an attachment’s file name, defeating $mime_filename-based blocks meant to stop things like .exe files.
*Let’s illustrate:*
Content-Type: application/octet-stream;
name*="evil";
name*1=".exe"
Content-Disposition: attachment;
filename*="evil";
filename*1=".exe"
Here, the attacker splits the filename across two header lines (evil.exe). Exim, due to the bug, doesn’t assemble the full filename for blocking, so an .exe can slip through, even if your mail filter is set to block .exe attachments using $mime_filename.
1. Attacker Crafts a Malicious Email
They compose an email with a dangerous attachment (like a trojan executable disguised as a document). Instead of giving it the filename payroll.exe directly, the sender does this (split for RFC 2231):
Content-Type: application/octet-stream;
name*="payroll";
name*1=".exe"
- In your Exim configuration, you might have a rule like
condition = ${if match{$mime_filename}{\N\.(exe|scr|bat)$\N}}
- Because Exim hasn’t reconstructed the full filename, this rule isn’t triggered.
### 4. The Executable Attachment Gets Delivered
- The email reaches the recipient, now with the dangerous attachment hidden under the radar.
---
## Who’s Affected?
- Anyone running Exim up to 4.97.1
- Default and custom installs that use $mime_filename to block unsafe attachments
---
## Proof-of-Concept (PoC) Email Snippet
email
From: attacker@example.com
To: victim@example.com
Subject: Important Update
Content-Type: multipart/mixed; boundary="BOUNDARY"
BOUNDARY
Content-Type: text/plain
BOUNDARY
Content-Type: application/octet-stream;
name*1=".exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename*1=".exe"
TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
... (binary/executable data here) ...
BOUNDARY--
<br><br><b>Result:</b> Exim fails to spot 'security.exe' and delivers it to the user.<br><br>---<br><br>## How Can You Protect Yourself?<br><br>### 1. <b>Patch Immediately</b><br><br>- Upgrade to the latest Exim release once a fix is available. Track this issue here and on CVE Details.<br><br>### 2. <b>Review and Harden Attachment Filtering</b><br>- Consider using additional tools (like clamav or third-party filters) that <b>fully parse RFC 2231 headers</b>.<br>- Instead of relying solely on $mime_filename, also filter by MIME Content-Type`, magic headers, and scan with AV.
### 3. Raise Awareness
- Warn users to be careful with unexpected attachments.
- Update security training to reflect this bypass method.
---
## Further Reading
- Exim Official Website
- Exim Security Advisories on GitHub
- RFC 2231 – MIME Parameter Value and Encoded Word Extensions
- Exim Users Mailing List
---
## Summary
CVE-2024-39929 is a simple but effective bug: a parsing oversight in Exim lets dangerous attachments slip through standard filename filters if headers are formatted across multiple lines. Patch your Exim as soon as there’s a fix, review your filtering rules, and stay vigilant — attackers are always looking for ways around your defenses.
*Stay safe! If you run into trouble or need advice, drop a comment below or reach out to the Exim community.*
Timeline
Published on: 07/04/2024 15:15:10 UTC
Last modified on: 07/09/2024 16:22:58 UTC