Threat Intelligence Report – Return of the Wizard

Mail Transfer Agent (MTA) Vulnerability

Date: 25th June 2019


The security community have discovered a vulnerability that can be found in millions of email systems. A remote command execution vulnerability has been discovered in older versions of mail transfer agent (MTA) Exim, an open source, critical piece of the email infrastructure that exists in many  organisations (often also used ‘under the hood’ in commercial email products). MTA functions like a router dedicated to email and it transfers mail messages from one computer to another utilising Simple Mail Transfer Protocol (SMTP).

The vulnerability called Return of the Wizard (CVE-2019-10149), allows attackers that are remotely located to send malicious emails to vulnerable Exim servers and run execute commands with Root access and no privilege escalation required. There are multiple ways that Exim can be configured, some of these will allow for faster exploitation, while others may require a week to fully exploit.


Exim servers are estimated to run nearly 57% of the internet’s email servers, these are now under threat from hacker groups that try to exploit a security flaw in order to take over vulnerable servers. The vulnerability could allow remote code execution with root privilege in more than 4.1 million systems.

Cryptominers, botnets and/or ransomware could leverage this weakness, as well as Advanced Persistent Threat (APT) groups. Attacks have been carried out from a public internet server and another one located on the dark web. There is now news of an active Linux worm that is exploiting this vulnerability.

Tactics, Techniques and Procedures

The vulnerability resides in the deliver_message() function in /src/deliver.c, it is caused by the improper validation of recipient addresses. This issue can lead to remote code execution with Root privileges on the mail server. An attacker can exploit this vulnerability in the default configuration by keeping a connection open to the vulnerable server for 7 days, this involves transmitting one byte of data every few minutes. An attacker can execute arbitrary commands with execv() as Root, no memory corruption or Return-Oriented Programming (ROP) is involved.

Phase One: Infect & Execute

All vulnerable servers that can be found are actively being exploited by malicious actors. The main objective is to create a backdoor into the MTA servers by downloading a malicious shell script that adds a Secure Shell (SSH) key to the Root account. Attackers will send an email or attempt to initiate a connection; they only need to reach the step where the MTA asks for the recipients of the email. Within the SMTP dialog of that email, the RCPT_TO field gets an email address that contains a local part that is specially crafted by the attacker to exploit the Return of the Wizard vulnerability. The attack uses a specially crafted Envelope-From (532[.]MailFrom) that would download and execute the following shell script.


Phase Two: Open SSH Access

The infected Exim version will execute the script in its own user context, if users are still running Exim as Root, it will then download a shell script that will open SSH access to the MTA server via a public key to the Root user. The payload is hosted on the Tor network, from a Tor hidden service (an7kmd2wp4xo7hpr) via tor2web routing services. The initially deployed script on exploited Exim servers will then download another script that is designed to check if OpenSSH is installed on the compromised machine. If OpenSSH is not present, it will be installed via the Advanced Package Tool (APT) package manager together with several other tools, it will then start to enable Root logins via SSH, using a private/public RSA key for authentication. The attackers then get Root access to all the Exim servers they manage to compromise.

Phase Three: Retrieve & Upload

The shell script will retrieve information about the infected machine. It will set different variables that are visible at all child processes, because of the export command. One variable is UPLOAD_URL which contains the first remote location, a C2 server “hxxps://85[.]25[.]84[.]99/up[.]php”. One function of the script, snd(), is used to upload stolen information. A shell command with three exported variables is launched, UPLOAD_FILE, UPLOAD_NAME, UPLOAD_URL, then the atd file is executed. The next process involves the script gathering information such as; system version, IP, iptables status, ip6tables status, kernel modules, user ID, information about memory, state of established connection, information on CPU architecture, disk space and more. All this information is compressed and sent to the C2 server using the aforementioned snd() function and then removed from the machine.

The following non-default Exim configurations can easily be exploited:

  • If the “verify = recipient” ACL was removed manually by an administrator (maybe to prevent username enumeration via RCPT TO), then the local-exploitation method also works remotely.
  • If Exim was configured to recognize tags in the local part of the recipient’s address (via “local_part_suffix = +* : -*” for example), then a remote attacker can simply reuse the local-exploitation method with an RCPT TO “balrog+${run{…}}@localhost” (where “balrog” is the name of a local user).
  • If Exim was configured to relay mail to a remote domain, as a secondary MX (Mail eXchange), then a remote attacker can simply reuse the local-exploitation method with an RCPT TO “${run{…}}@khazad.dum” (where “khazad.dum” is one of Exim’s relay_to_domains). Indeed, the “verify = recipient” ACL can only check the domain part of a remote address (the part that follows the @ sign), not the local part.

Indicators of Compromise

Type Value
Drop URL hxxp://173[.]212[.]214[.]137/se
Command & Control (C2) hxxps://85[.]25[.]84[.]99
File (SHA-256) 1c8f184c3cf902bafc9df23b13a5d51cf801026bc3bde9d6b05cf047523ac6ed



Vulnerable Software

Exim installations that run versions 4.87 to 4.91 are vulnerable.

Version 4.92 is patched and not vulnerable.


Invinsec strongly recommend the following actions:

  • Patch vulnerable systems to version 4.92
  • Review email capable systems to identify where the vulnerable software is used (this may include email servers, gateways, or enable enabled software)
  • Implement filters at the email gateway. Filter out emails with known malspam indicators and block suspicious IP addresses at the firewall.
  • Educate and train employees on social engineering and phishing. (i.e. Don’t open suspicious emails or click on the links provided in such emails).
  • If there is not a policy regarding suspicious emails, consider creating one and specify that all suspicious emails should be reported to the security and/or IT departments.
  • Keep computer systems patched.Patched systems will provide less opportunity for infection.

Leave a Reply