Possible root vulnerability in Exim internet mailer - Update
According to a posting on the Exim developer mailing list, the Debian package (and potentially others) contains a vulnerability which can be remotely exploited by attackers to gain control of a server. Initial investigations by Sergey Kononenko, administrator of a network penetrated by unknown attackers, apparently via this vulnerability, suggest that the problem may be caused by a bug in the way certain email headers (HeaderX) are processed.
By using crafted emails, the attackers were able to launch a shell and place further files on the server. Because Exim is usually set to SUID root, by using additional techniques the attackers were able to obtain root privileges.
It's worth noting that Kononenko was not running the official version of the Exim service, but the beefed up version included in Debian Lenny (exim4-daemon-light 4.69-9). Kononenko reports that he has also succeeded in obtaining root privileges using exim4-daemon-light 4.72-2, the version included in Debian Squeeze. He has not tested the latter to determine whether it also contains the actual vulnerability. It's also unclear whether packages included in other distributions are affected.
Kononenko is not divulging further information on the vulnerability and on the attack scenario for now, preferring to wait until the developers have looked into the problem. He notes, however, that he was unable to find an email address for the current Exim maintainer, which is why he has published on the Exim developer mailing list.
As a workaround, it may be helpful to run Exim in unprivileged mode. Instructions for doing so can be found in the document 'Running Exim without privilege'. This does not, however, work under all configurations.
Update: Further analysis seems to indicate that the issue is caused by a bug in
string_format(). The bug was already corrected in Exim 4.70. Because it was not rated as a security update, it has yet to be included in the current version of the Debian Lenny packages. Debian users can solve the problem by installing exim4-daemon-light 4.72 from the backports repository.