This article is about the recently published security advisory for a pretty popular software – fail2ban (CVE-2021-32749). The vulnerability, which could be massively exploited and lead to root-level code execution on multiple boxes, however this task is rather hard to achieve by regular person. It all has its roots in mailutils package and I’ve found it by a total accident when playing with mailcommand.
The fail2ban analyses logs (or other data sources) in search of brute force traces in order to block such attempts based on the IP address. There are plenty of rules for different services (SSH, SMTP, HTTP, etc.). There are also defined actions which could be performed after blocking a client. One of these actions is sending an e-mail. If you search the Internet to find out how to send an e-mail from a command line, you will often get such solution:
That is the exact way how one of fail2ban actions is configured to send e-mails about client getting blocked (
The IP <ip> has just been banned by Fail2Ban after
<failures> attempts against <name>.\n\n
Here is more information about <ip> :\n
Fail2Ban"|mail-s"[Fail2Ban] <name>: banned <ip> from <fq-hostname>"<dest>
There is nothing suspicious about the above, until knowing about one specific thing that can be found inside the mailutils manual. It is the tilde escape sequences:
The ‘~!’ escape executes specified command and returns you to mail compose mode without altering your message. When used without arguments, it starts your login shell. The ‘~|’ escape pipes the message composed so far through the given shell command and replaces the message with the output the command produced. If the command produced no output, mail assumes that something went wrong and retains the old contents of your message.
This is the way it works in real life:
Linuxfail2ban4.19.0-16-cloud-amd64#1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux
If you get back to the previously mentioned fail2ban e-mail action you can notice there is a whoisoutput attached to the e-mail body. So if we could add some tilde escape sequence to whois output of our IP address – well, it should end up with code execution. As root.
What are our options?
As attackers we need to control the whois output – how to achieve that? Well, the first thing which came into my mind was to kindly ask my ISP to contact RIPE and make a pretty custom entry for my particular IP address. Unfortunately – it doesn’t work like that. RIPE/ARIN/APNIC and others put entries for whole IP classes as minimum, not for particular one IP address. Also, I’m more than sure that achieving it is extremely hard in a formal way, plus the fact that putting malicious payload as a whois entry would make people ask questions.
Is there a way to start my own whois server? Surprisingly – there is, and you can find a couple of them running over the Internet. By digging whois related RFC you can find information about an attribute called ReferralServer. If your whois client will find such an attribute in the response, it will query the server that was set in the value to get more information about the IP address or domain. Just take a look what happens when getting whois for 188.8.131.52 IP address:
# available at: https://www.arin.net/resources/registry/whois/tou/
# If you see inaccuracies in the results, please report at
# Copyright 1997-2021, American Registry for Internet Numbers, Ltd.
%Informationrelatedto'184.108.40.206 - 220.127.116.11'
%Abusecontactfor'18.104.22.168 - firstname.lastname@example.org'
In theory and while having a pretty big network you could probably ask your Regional Internet Registries to use RWhois for your network.
On the other hand – simply imagine black hats breaking into a server running rwhois, putting a malicious entry there and then starting the attack. To be fair this scenario seems to be way easier than becoming a big company to legally have its own whois server.
In case you’re a government and you can simply control network traffic – the task is way easier. By taking a closer look at the whois protocol, we can notice few things:
- it was designed really long time ago,
- it’s pretty simple (you ask for IP or domain name and get the raw output),
- it’s unencrypted on the network level.
By simply performing a MITM attack on an unencrypted protocol (which whois is) attackers could just put the tilde escape sequence and start an attack over multiple hosts.
It’s worth remembering that the root problem here is mailutils which has this flaw by design. I believe a lot of people are unaware about such a feature, and there’s still plenty of software that could use the mail command this way.
As could be noticed many times in history – security is hard and complex. Sometimes totally innocent functionality which you wouldn’t ever suspect for being a threat could be a cause of dangerous vulnerability.
Author: Jakub Żoczek