Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges.

Sat, 07 Sep 2019 00:04:50 -0700 

Marco Gaiarin via Exim-users <[email protected]> (Fr 06 Sep 2019 23:42:03 
CEST):
> Mandi! Heiko Schlittermann via Exim-users
>   In chel di` si favelave...
>
> > Add - as part of the mail ACL (the ACL referenced by the main config
> > option "acl_smtp_mail"):
> >      deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
> >      deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}
>
> For very old exim, eg 4.80, there's no _in_ and _out_ variables, so:
>
>       deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_sni}}}}
>       deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_peerdn}}}}
>

And, if your Exim is linked against GnuTLS there is no $tls_sni variable
at all. But - to my knowledge - the exploitable string is written to the
-H spool file anyway (and read back).

So you can't protect yourself simply by using the above ACL statements.

Best option:        install 4.92.2
2nd best option:    use the source of your installed version
                    and apply the patch (it is a single line, check
                    the commit 2600301ba6dbac5c9d640c87007a07ee6dcea1f4
                    and look for file src/src/string.c
3rd best option:    do binary patching and replace the string "-tls_sni"
                    by e.g. "-foo_bar" (not sure about the impact
                    though, untested)

Here is the patch, the important part is the line "+if (ch == '\0') ..."

diff --git a/src/src/string.c b/src/src/string.c
index 5e48b445c..c6549bf93 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -224,6 +224,8 @@ interpreted in strings.
 Arguments:
   pp       points a pointer to the initiating "\" in the string;
            the pointer gets updated to point to the final character
+           If the backslash is the last character in the string, it
+           is not interpreted.
 Returns:   the value of the character escape
 */

@@ -236,6 +238,7 @@ const uschar *hex_digits= CUS"0123456789abcdef";
 int ch;
 const uschar *p = *pp;
 ch = *(++p);
+if (ch == '\0') return **pp;
 if (isdigit(ch) && ch != '8' && ch != '9')
   {
   ch -= '0';
@@ -1210,8 +1213,8 @@ memcpy(g->s + p, s, count);
 g->ptr = p + count;
 return g;
 }
-
-
+
+
 gstring *
 string_cat(gstring *string, const uschar *s)
 {


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -

Attachment: signature.asc
Description: PGP signature

-- 
## List details at https://lists.exim.org/mailman/listinfo/exim-users
## Exim details at http://www.exim.org/
## Please use the Wiki with this list - http://wiki.exim.org/

Reply via email to