On Mon, 2010-12-13 at 16:21 +0100, Sandro Tosi wrote: > We have a 4.69 custom installation, so I tried to replicate the exploit > at [1] but without success (FSVO it ;). > > [1] http://seclists.org/fulldisclosure/2010/Dec/222 > > we have set 'message_size_limit = 100M' and the attack stops with a > > 552 Message size exceeds maximum permitted > > and log entry: > > 2010-12-13 11:50:06 [22328] 1PS5yL-0005o8-R7 rejected from > <[email protected]> H=(abcde.com) [195.110.97.5]: message too big: > read=105155021 max=104857600 > > is this mean that the attack needs to send more than 100M of data and so > our config is "safe"?
The body size has nothing to do with it. Personally I tweaked it down to 1MiB on my test box to speed up testing. It's the size of the *headers* which does it. Your initial headers need to precisely reach the end of the log buffer in order to trigger the overflow bug. > If some unlucky guy is in a position that cannot check how a given exim > installation was compiled, is there a way to know if > ALT_CONFIG_ROOT_ONLY was set or not at build time? Create a config file in /tmp, and as the Exim user try running exim -C /tmp/myconfig -- dwmw2 -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
