James E. Blair wrote: > On 12/07/2010 01:59 PM, Sergey Kononenko wrote: > > Hi, > > > > While investigating security break in the network of my company, > > I've captured (by tcpdump) sequence of successful remote root > > attack through Exim. It was Exim from Debian Lenny > > (exim4-daemon-light 4.69-9). > > Paul Fisher and I have successfully run the exploit against a copy > of Exim running in a debugger on debian lenny, and we believe it > utilizes this bug: > > http://bugs.exim.org/show_bug.cgi?id=787 > > It was fixed in 4.70, but not in the version currently in debian > stable. > > James E. Blair > UC Berkeley
I have found something else that looks fishy, but I don't know if it can be triggered in practice: internal_lsearch_find() in src/lookups/lsearch.c sets store_pool to MAIN_POOL but fails to reset store_pool to old_pool when returning DEFER in line 199. Maybe this could lead to another function later wrongly resetting the MAIN_POOL instead of the SEARCH_POOL which could probbably result in memory corruption. Cheers, Stefan -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
