On Fri, 2010-12-10 at 10:35 -0500, W B Hacker wrote: > That said - I am not sure THIS exploit actually puts the average system at > risk. > > Surely we would have seen more real-world compromises over the many years?
I wouldn't be so sure. It may have been there for ever, but ironically I don't think it really became a *danger* until we fixed it. A commit message saying 'Buffer overrun fix' is a bit of an open invitation to come and play. It is unfortunate that we fixed a buffer overflow, didn't think of it as a potential security issue (which *all* buffer overflows are unless you can prove otherwise), and then didn't even call it out in the 4.70 announcement. (I don't intend that as criticism of the people involved; just want to make sure we recognise the right thing to do in future). In retrospect, we probably should have got a CVE assigned for it at the time. > Was the OP actually hit with this? > Or did he *write* it? (no apologies, w/r servers, I am one paranoid MF!) > And is the community now being enlisted to confirm it can work - and show how > to > refine it? I don't think that's likely -- it had already worked by the time he showed it to us, and we haven't refined it. We've just had to work out for ourselves which bug it was triggering and how, but the person who wrote the attack will have started off with the bug and developed the exploit from that. > [1] for several reasons - throttled bandwidth, per-IP connection limit, > limited > total connections, rDNS hard-fail, and finally defer if the deliberately > limited > pool of PostgreSQL connections is used up. None of those protect you against this. It only needs *one* connection. And it doesn't even *need* to send you 50MiB of data; any post-DATA rejection would suffice. It's just that a 50MiB mail is a fairly good bet for rejection. The EICAR test virus would be another reasonable bet. -- dwmw2 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
