[Exim] Possible to Exploit (Was: exim and ip options?)

Top Page
Delete this message
Reply to this message
Author: Dmitry Alyabyev
Date:  
To: exim-users
Subject: [Exim] Possible to Exploit (Was: exim and ip options?)
==============Original message text===============
From: Magosányi Árpád <mag@???>
To: VULN-DEV@??? <VULN-DEV@???>
Date: Thursday, January 11, 2001, 5:51:34 AM
Subject: exim and ip options?

Hi!

I have found some very interesting code in exim.
(it is at least in 3.12 - 3.20)
src/smtp_in.c, in function smtp_start_session(),
when it handles ip options:

            default:
              {
              int i;
              strcat(p, "[");
              p += 2;
              for (i = 0; i < opt[1]; i++)
                {
                sprintf(p, "%2.2x ", opt[i]);
                p += 3;
                }
              *p++ = ']';
              }
            opt += opt[1];
            break;
            }
          }


p is a pointer (initially) inside a "big" buffer with length of
1024. It seems to be a nice opportunity for a buffer overrun,
minus it is on heap and very limited in the useable opcodes.
I am not able to write an exploit, or even to confirm
the exploitability of such a code.
Any ideas?

Please cc: me as I am not on the list.

--
GNU GPL: csak tiszta forrásból

===========End of original message text===========

--
Dimitry