what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Exim 4 Symlink / Race Condition Vulnerabilities

Exim 4 Symlink / Race Condition Vulnerabilities
Posted Jun 4, 2010
Authored by Dan Rosenberg

Exim 4 suffers from local symlink and race condition vulnerabilites.

tags | advisory, local
advisories | CVE-2010-2023, CVE-2010-2024
SHA-256 | d894d9ac3680893c4de1df8deea0bb09c3c5f18e99348ec10bb3351fafdf3e38

Exim 4 Symlink / Race Condition Vulnerabilities

Change Mirror Download
==================================
Exim Mailer, multiple vulnerabilites
June 3, 2010
CVE-2010-2023, CVE-2010-2024
==================================

==Description==

Two vulnerabilities have been discovered in Exim 4, a popular mail transfer
agent used on Unix-like systems (www.exim.org).

1. When Exim is used with a world-writable mail directory with the sticky-bit
set, local users may create hard links to other non-root users' files at the
expected location of those users' mailboxes, causing their files to be written
to upon mail delivery. This could be used to create denial-of-service
conditions or potentially escalate privileges to those of targeted users. This
issue has been assigned CVE-2010-2023.

2. When MBX locking is enabled, local users may exploit a race condition to
change permissions of other non-root users' files, leading to denial-of-service
conditions or potentially privilege escalation, or to create new files owned by
other users in unauthorized locations. This issue has been assigned
CVE-2010-2024.

==Workarounds==

1. Both of these vulnerabilities can be mitigated on Linux by making use of
grsecurity (or similar) kernel extensions that enforce additional linking
restrictions. grsecurity mitigates these types of race conditions by
preventing users from following symbolic links owned by other users in
world-writable directories with the sticky bit set, and also by preventing
users from creating hard links to files they do not own. Other operating
systems may enforce similar restrictions by default.

2. The first issue can be mitigated by using a group-writable mail directory
owned by a "mail" group rather than a world-writable mail directory.

3. The second issue can be mitigated by disabling the MBX locking feature (this
is already the default with many packaged releases of Exim) or by mounting the
/tmp directory with options prohibiting the following of symbolic links created
by other users.

==Solution==

Exim has released a new version, 4.72, available for download at
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz. Vulnerable users are
advised to download and recompile from source, or request updated packages from
downstream distributions.

==Credits==

These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenberg@gmail.com).

==Timeline==

5/24/10 - Reported to Exim
5/25/10 - Response from Exim
6/03/10 - Exim 4.72 released
6/03/10 - Disclosure

==References==

CVE identifiers CVE-2010-2023 and CVE-2010-2024 have been assigned to these
issues.

Exim 4.72 is available for download at:
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.bz2

Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    34 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    19 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close