|
Brought to you by:
Suppliers of:
|
|
|
| |
| Exim is "a mail transfer agent (MTA) for Unix systems similar to Sendmail". Local exploitation of a buffer overflow vulnerability in Exim 4.41 allows execution of arbitrary commands with elevated privileges. |
| |
Credit:
The information has been provided by iDEFENSE.
The original article can be found at: http://www.idefense.com/application/poi/display?id=183&type=vulnerabilities
|
| |
Vulnerable Systems:
* Exim version 4.42 and prior
Immune Systems:
* Exim version 4.43 or newer
The problem specifically exists in the dns_build_reverse() function. The function fails to check the length of a string which it copies into a fixed length buffer. This string is user controlled and passed into the program from a command line option.
The following example demonstrates an input that will crash Exim:
/usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`
Analysis:
Exploitation of this vulnerability will give an attacker access to the mailer uid. (The exim mailer is setuid root, but drops privileges before the vulnerable code is reached). Having the mailer uid may allow access to sensitive information in email messages, or possibly further elevation.
Vendor response:
A patch for Exim release 4.43 which addresses this vulnerability is available at: http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html
The patch will be incorporated into a future Exim release (4.50).
Disclosure Timeline:
09/30/2004 - Initial vendor notification
09/30/2004 - Initial vendor response
01/14/2005 - Public disclosure
|
|
|
|
|
