Building a honeypot system for Exim vulnerability(CVE-2019-10149)

I really enjoy running honeypots. Honeypots can provide a wealth of information about how attackers operate and what they hope to achieve with their attack. I recently discovered a way to prevent the Exim vulnerability from working on unpatched systems versions 4.91 and lower. I discovered this with the help of an anonymous Gray-Hat. So I thought this would be the perfect opportunity to set up a honeypot for the new Exim vulnerability and see what I catch.

What I came up with is a bash script-based honeypot. Essentially I have an installation script that goes through and downloads a vulnerable version of Exim, installs it, and patches it against the vulnerability.

I call it StickyExim.

StickyExim is made up of two parts. The first part is the installation and configuration of the Exim service. The key here is to both look like a real Exim server and also look vulnerable, without actually being vulnerable. So instead of just running Exim on port 25 alone, it will set up the normal ports numbers, 25, 2525, 587, and 465 with SSL. I’m hoping the addition of the alternative ports will make it appear to be a legitimate server.

The patch that is installed into the Exim config is set to produce an error message which can be read in the logs. The patch to this Exim vulnerability was to configure Exim to deny the run command which is in the “To” field of an email.

deny 
     message = Restricted characters in address 
     domains = +local_domains 
     local_parts = ^[.] : ^.*[@%!/|] : ^.*\N\${run{\N.*}} 
   deny 
     message = Restricted characters in address 
     domains = !+local_domains 
     local_parts = ^[./|] : ^.*[@%!] : ^.*/\\.\\./ : ^.*\N\${run{\N.*}}

With this patch to the Exim configuration, I’m still able to receive e-mails which tried to use the exploit, but the messages will be denied. This will create a unique error message and the logs. At this point, the second half of StickyExim comes into play.

The second part of this is called Honey Harvester. Basically, it scans the logs for the unique error message produced by attempts to exploit the vulnerability. The IP address which is involved in attempting to exploit the system is taken from the log. For each IP address found in this way, the honey harvester will gather all logs related to the event, gather all information about the IP owner, and then submit those logs with an abuse report to the IP owner. An additional copy of the abuse report is sent to a special logging e-mail address which is configured in the script. The honey harvester simply runs as a Cron job every 15 min. by default. So you get feedback fairly quickly when an exploit attempt is made.

If you’re interested in running StickyExim for yourself, visit my GitHub page where you can download the code. Instructions on how to install and configure it can be found there as well. If you run into any issues running the scripts or have any questions feel free to e-mail me using the contact page of this website.