patch released - Re: [LIH] Exim format string vulnerability

Suresh Ramasubramanian Wed, 06 Jun 2001 11:27:15 -0700

Suresh Ramasubramanian rearranged electrons thusly:
> Raju Mathur rearranged electrons thusly:
>  
> > BUGTRAQ just reported a format string vulnerability in Exim (version
> > unspecified) which crops up if you have the headers_check_syntax

>  There appear to be other issues with exim 3.22 (such as random junk files in
>  the spool, containing parts of syslog, fragments of messages and such),

fwiw ...
____________________________________________________

From: Tamas TEVESZ <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: [Exim] [Security-l] lil' exim format bug (fwd)
Date: Wed, 6 Jun 2001 16:12:16 +0200 (CEST)

for explanations, see below. patch courtesy of
<[EMAIL PROTECTED]>, works here.

--- src/accept.c.orig   Wed Jun  6 17:48:08 2001
+++ src/accept.c        Wed Jun  6 17:48:29 2001
@@ -2503,7 +2503,7 @@
   nothing on success. The function moan_smtp_batch() does not return -
   it exits from the program with a non-zero return code. */

-  else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);
+  else if (smtp_reply != NULL) moan_smtp_batch(NULL, "%s", smtp_reply);
   }

 /* Reset headers so that logging of rejects for a subsequent message doesn't



-- 
[-]
"`rendes' `thread library' `unix' - ezeknek nincs kozos gyokuk" -- redax

---------- Forwarded message ----------
Date: Wed, 6 Jun 2001 14:03:25 +0200
From: Megyer Laszlo <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: [Security-l] lil' exim format bug

Hi BugTrackers

Just a little bug to tell:


THE BUG
-------

accept.c, line 2506:
        else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);

while moan_smtp_batch is like this:
        moan_smtp_batch(char *cmd_buffer, char *format, ...)

So when smtp_reply contains format strings, it get transformed by
moan_smtp_batch().


Why I said that it's a little bug?
----------------------------------

This piece of code is only executed when exim is configured to check incoming mails' 
headers:
/etc/exim.conf should have an option set:
headers_check_syntax

By default it's turned OFF.
only few ppl turn it on.

So it's NOT vulnerable BY DEFAULT.


Exploitation:
-------------

Try this:
===8<======8<=======8<======
lez:~$ /usr/sbin/exim -bS
mail from:lez@lez
rcpt to:hax0r@lez
data
From:@@%p%p%p%p%p%p%p%p%p%p

.
===8<======8<=======8<=======

Somewhere in the answers you should see:
550 Syntax error in 'From' header: domain missing or malformed: failing address is: 
@@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40

If you change %p's to %s's, you get segfault. With carefully constructed thing, it's 
easy to overwrite saved eip with %n's, and get root out of this bug.

No exploit yet, but after the many local format bug exploits it's not a big work to 
write one for a skilled man.
-- 
Megyer Laszlo (Lez)
[EMAIL PROTECTED]
__________________________________________________
Security-l maillist  -  [EMAIL PROTECTED]
http://sunserv.kfki.hu/mailman/listinfo/security-l

--
## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at 
http://www.exim.org/ ##

-- 
Suresh Ramasubramanian  <-->  mallet <at> efn <dot> org
EMail Sturmbannfuhrer, Lower Middle Class Unix Sysadmin


_______________________________________________
linux-india-help mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/linux-india-help
patch released - Re: [LIH] Exim format string vulnerability

Reply via email to
