Hi David, thanks for the reply :) On 12/13/2010 08:50 PM, David Woodhouse wrote: > On Mon, 2010-12-13 at 16:21 +0100, Sandro Tosi wrote: >> we have set 'message_size_limit = 100M' and the attack stops with a ... >> is this mean that the attack needs to send more than 100M of data and so >> our config is "safe"? > > The body size has nothing to do with it. Personally I tweaked it down to > 1MiB on my test box to speed up testing. > > It's the size of the *headers* which does it. Your initial headers need > to precisely reach the end of the log buffer in order to trigger the > overflow bug.
Mh ok, I see, but now the question is: how can we replicate the exploit and see if we're exposed? We thought that [1] was enough, maybe it's not. Could you please send us (private email is fine, whatever you prefer) the script you're running? [1] http://seclists.org/fulldisclosure/2010/Dec/222 >> If some unlucky guy is in a position that cannot check how a given exim >> installation was compiled, is there a way to know if >> ALT_CONFIG_ROOT_ONLY was set or not at build time? > > Create a config file in /tmp, and as the Exim user try running > exim -C /tmp/myconfig sigh, it works :( Thanks in advance, -- Sandro Tosi Product Engineer Linux based Solutions Hosting Products R&D | Dada.pro [email protected] -- ## List details at http://lists.exim.org/mailman/listinfo/exim-dev Exim details at http://www.exim.org/ ##
