Exim Mail Server May Allow Remote Users to Execute Arbitrary Code with Root-Level Privileges on the Server
SecurityTracker Alert ID: 1001694|
SecurityTracker URL: http://securitytracker.com/id/1001694
(Links to External Site)
Date: Jun 6 2001
Execution of arbitrary code via network, Root access via network|
Exploit Included: Yes |
A vulnerability has been reported in the Exim mail server that may allow a remote user to execute arbitrary code on the server.|
It is reported that when Exim is configured to check incoming mail headers for proper syntax, the vulnerability can be triggered. This is configured through the /etc/exim.conf headers_check_syntax option. By default, this option is not set.
The vulnerability reportedly exists in the accept.c module where the moan_smtp_batch() function is called.
A demonstration exploit transcript is provided in the Source Message.
A remote user can execute arbitrary code on the server with root-level privileges.|
No solution was available at the time of this entry.|
Vendor URL: www.exim.org/ (Links to External Site)
Input validation error|
Linux (Any), UNIX (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Date: Wed, 6 Jun 2001 14:03:25 +0200|
Subject: lil' exim format bug
Just a little bug to tell:
accept.c, line 2506:
else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);
while moan_smtp_batch is like this:
moan_smtp_batch(char *cmd_buffer, char *format, ...)
So when smtp_reply contains format strings, it get transformed by
Why I said that it's a little bug?
This piece of code is only executed when exim is configured to check incoming mails' headers:
/etc/exim.conf should have an option set:
By default it's turned OFF.
only few ppl turn it on.
So it's NOT vulnerable BY DEFAULT.
lez:~$ /usr/sbin/exim -bS
Somewhere in the answers you should see:
550 Syntax error in 'From' header: domain missing or malformed: failing address is: @@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40
If you change %p's to %s's, you get segfault. With carefully constructed thing, it's easy to overwrite saved eip with %n's, and get
root out of this bug.
No exploit yet, but after the many local format bug exploits it's not a big work to write one for a skilled man.
Megyer Laszlo (Lez)