what you don't know can hurt you

Exim 4 Symlink / Race Condition Vulnerabilities

Exim 4 Symlink / Race Condition Vulnerabilities
Posted Jun 4, 2010
Authored by Dan Rosenberg

Exim 4 suffers from local symlink and race condition vulnerabilites.

tags | advisory, local
advisories | CVE-2010-2023, CVE-2010-2024
MD5 | 9074656fbb59e54a22cbb2af6948a1f9

Exim 4 Symlink / Race Condition Vulnerabilities

Change Mirror Download
==================================
Exim Mailer, multiple vulnerabilites
June 3, 2010
CVE-2010-2023, CVE-2010-2024
==================================

==Description==

Two vulnerabilities have been discovered in Exim 4, a popular mail transfer
agent used on Unix-like systems (www.exim.org).

1. When Exim is used with a world-writable mail directory with the sticky-bit
set, local users may create hard links to other non-root users' files at the
expected location of those users' mailboxes, causing their files to be written
to upon mail delivery. This could be used to create denial-of-service
conditions or potentially escalate privileges to those of targeted users. This
issue has been assigned CVE-2010-2023.

2. When MBX locking is enabled, local users may exploit a race condition to
change permissions of other non-root users' files, leading to denial-of-service
conditions or potentially privilege escalation, or to create new files owned by
other users in unauthorized locations. This issue has been assigned
CVE-2010-2024.

==Workarounds==

1. Both of these vulnerabilities can be mitigated on Linux by making use of
grsecurity (or similar) kernel extensions that enforce additional linking
restrictions. grsecurity mitigates these types of race conditions by
preventing users from following symbolic links owned by other users in
world-writable directories with the sticky bit set, and also by preventing
users from creating hard links to files they do not own. Other operating
systems may enforce similar restrictions by default.

2. The first issue can be mitigated by using a group-writable mail directory
owned by a "mail" group rather than a world-writable mail directory.

3. The second issue can be mitigated by disabling the MBX locking feature (this
is already the default with many packaged releases of Exim) or by mounting the
/tmp directory with options prohibiting the following of symbolic links created
by other users.

==Solution==

Exim has released a new version, 4.72, available for download at
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz. Vulnerable users are
advised to download and recompile from source, or request updated packages from
downstream distributions.

==Credits==

These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenberg@gmail.com).

==Timeline==

5/24/10 - Reported to Exim
5/25/10 - Response from Exim
6/03/10 - Exim 4.72 released
6/03/10 - Disclosure

==References==

CVE identifiers CVE-2010-2023 and CVE-2010-2024 have been assigned to these
issues.

Exim 4.72 is available for download at:
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.bz2

Login or Register to add favorites

File Archive:

November 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    19 Files
  • 2
    Nov 2nd
    25 Files
  • 3
    Nov 3rd
    8 Files
  • 4
    Nov 4th
    7 Files
  • 5
    Nov 5th
    24 Files
  • 6
    Nov 6th
    0 Files
  • 7
    Nov 7th
    0 Files
  • 8
    Nov 8th
    18 Files
  • 9
    Nov 9th
    9 Files
  • 10
    Nov 10th
    106 Files
  • 11
    Nov 11th
    19 Files
  • 12
    Nov 12th
    13 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    18 Files
  • 16
    Nov 16th
    12 Files
  • 17
    Nov 17th
    15 Files
  • 18
    Nov 18th
    12 Files
  • 19
    Nov 19th
    4 Files
  • 20
    Nov 20th
    2 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    22 Files
  • 23
    Nov 23rd
    14 Files
  • 24
    Nov 24th
    19 Files
  • 25
    Nov 25th
    4 Files
  • 26
    Nov 26th
    1 Files
  • 27
    Nov 27th
    4 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close