SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Exim Vendors:   Exim.org
Exim Mail Server Pipe Address Validation Error May Let Remote Users Execute Arbitrary Code With Root Privileges in a Certain Configuration
SecurityTracker Alert ID:  1003014
SecurityTracker URL:  http://securitytracker.com/id/1003014
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Dec 19 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): prior to Exim 3.34 and Exim 3.952 (alpha for Exim 4)
Description:   A vulnerability was reported in the Exim mail server. In a certain configuration, a remote user could cause arbitrary commands to be executed on the server with root level privileges, giving the user root level access on the server.

A remote user may be able to execute shell commands on the server if the server is configured in a specific manner. In a run time configuration that directs or routes an address to a pipe transport without checking the local part of the address in any way, the system may be vulnerable. An example of this type of configuration is where all incoming mail is sent directly to a virus checker by means of a pipe, without inspecting the local parts of addresses.

The bug can reportedly be triggered by routing/directing an address whose local part begins with a pipe symbol (vertical bar, "|") to a pipe transport. As a result, Exim will run the command encoded in the local part instead of obeying the pipe command.

The author of the report notes that Patrice Fournier discovered and reported the problem.

Impact:   A remote user can execute arbitrary shell commands on the server with root level privileges if the server is configured in a particular manner.
Solution:   The vendor has released a fix. Upgrade to Exim 3.34 and Exim 3.952 (alpha for Exim 4).

Or, apply a patch, which is contained in the Source Message. According to the vendor, this patch is for version 3.33 and should work on all previous versions back to 3.20.

Vendor URL:  www.exim.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Issues Fix) Exim Mail Server Pipe Address Validation Error May Let Remote Users Execute Arbitrary Code With Root Privileges in a Certain Configuration
The vendor has released a fix.
(Red Hat Issues Fix) Re: Exim Mail Server Pipe Address Validation Error May Let Remote Users Execute Arbitrary Code With Root Privileges in a Certain Configuration
Red Hat has issued a fix.
(Conectiva Issues Fix) Exim Mail Server Pipe Address Validation Error May Let Remote Users Execute Arbitrary Code With Root Privileges in a Certain Configuration
The vendor has released a fix.



 Source Message Contents

Subject:  [ph10@cus.cam.ac.uk: [Exim] Potential security problem]


Forwarded from the exim-users mailing list

----- Forwarded message from Philip Hazel <ph10@cus.cam.ac.uk> -----

From: Philip Hazel <ph10@cus.cam.ac.uk>
To:  <exim-users@exim.org>,  <exim-announce@exim.org>
Subject: [Exim] Potential security problem
X-BeenThere: exim-users@exim.org
Date: Wed, 19 Dec 2001 14:35:41 +0000 (GMT)

Important. Please read.

Amongst other things, Exim 3.34 and Exim 3.952 (alpha for Exim 4), which I have
just put onto the primary ftp site, contain a fix for a potential security
problem. Please check whether this could affect you, and if so, either upgrade
to the new release, or apply one of the patches below.

The problem exists only in the case of a run time configuration which directs
or routes an address to a pipe transport without checking the local part of the
address in any way. This does not apply, for example, to pipes run from alias
or forward files, because the local part is checked to ensure that it is the
name of an alias or of a local user.

One kind of configuration where this may apply is one where all incoming mail
is sent straight to a virus checker by means of a pipe, without inspecting the
local parts of addresses. However, if receiver_verify is turned on, and the
director/router that is used for the pipe has no_verify set, there may not be
an exposure, because the local parts are probably checked by the verification
process even though they are not checked at delivery time before being sent to
the pipe.

The bug is provoked by routing/directing an address whose local part begins
with a pipe symbol (vertical bar) to a pipe transport. That is why any
configuration in which local parts are first checked in some way is not
normally vulnerable (a local part starting with a pipe symbol is normally
invalid). The Exim 4 default configuration blocks local parts that contain any
of the characters @%!/| at SMTP time, as it happens.

The bug's effect is that, instead of obeying the correct pipe command, a broken
Exim runs the command encoded in the local part.

If you do not want to upgrade to Exim 3.34, here are two patches for earlier
versions. The fix is very simple. The bug was a bit of idiotic stupidity on my
part. Apologies for the inconvenience. My thanks to Patrice Fournier for
discovering and reporting this problem, and keeping on at me when at first I
did not believe him.

----------------------------------------------------------------------------
This patch is for version 3.33. It should also work on all previous versions
back to 3.20.

*** exim-3.33/src/transports/pipe.c Wed Aug 15 12:09:13 2001
--- transports/pipe.c	Thu Dec 13 10:25:21 2001
***************
*** 487,493 ****
  pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
  the command is supplied as one of the pipe transport's options. */

! if (addr->local_part[0] == '|')
    {
    cmd = addr->local_part + 1;
    while (isspace((uschar)*cmd)) cmd++;
--- 487,493 ----
  pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
  the command is supplied as one of the pipe transport's options. */

! if (testflag(addr,af_pfr) && addr->local_part[0] == '|')
    {
    cmd = addr->local_part + 1;
    while (isspace((uschar)*cmd)) cmd++;
----------------------------------------------------------------------------


----------------------------------------------------------------------------
This patch is for versions before 3.20. It should work at least as far back as
release 3.12 (which was release on December 8, 1999). It may work on earlier
releases - if not, it is such a simple patch that you should be able to figure
out what to change by hand.

*** src/transports/pipe.c Wed Aug 15 12:09:13 2001
--- transports/pipe.c	Thu Dec 13 10:25:21 2001
***************
*** 487,493 ****
  pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
  the command is supplied as one of the pipe transport's options. */

! if (addr->local_part[0] == '|')
    {
    cmd = addr->local_part + 1;
    while (isspace((uschar)*cmd)) cmd++;
--- 487,493 ----
  pointed to by addr->local_part; it starts with the pipe symbol. In other cases,
  the command is supplied as one of the pipe transport's options. */

! if (addr->pfr && addr->local_part[0] == '|')
    {
    cmd = addr->local_part + 1;
    while (isspace((uschar)*cmd)) cmd++;
----------------------------------------------------------------------------


--
Philip Hazel            University of Cambridge Computing Service,
ph10@cus.cam.ac.uk      Cambridge, England. Phone: +44 1223 334714.


--

## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##



----- End forwarded message -----

-- 
--------------------------------------------------------------------
Tabor J. Wells                                     twells@fsckit.net
Fsck It!                 Just another victim of the ambient morality

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC