Re: [Exim] Possible to Exploit (Was: exim and ip options?)

Top Page
Delete this message
Reply to this message
Author: Philip Hazel
Date:  
To: dimitry
CC: exim-users
Subject: Re: [Exim] Possible to Exploit (Was: exim and ip options?)
On Fri, 12 Jan 2001, Dmitry Alyabyev wrote:

> ==============Original message text===============
> From: Magosányi Árpád <mag@???>
> To: VULN-DEV@??? <VULN-DEV@???>
> Date: Thursday, January 11, 2001, 5:51:34 AM
> Subject: exim and ip options?
>
> Hi!
>
> I have found some very interesting code in exim.
> (it is at least in 3.12 - 3.20)


This code is used for logging the contents of IP options in incoming
connections, before dropping the connection (by default). The code was
originally sent to me by somebody who knew details of this stuff, but I
did re-organize it to fit into Exim.

(1) The code is not included when Exim is compiled for IPv6 (because I
don't know how to read IPv4 options in an IPv6 world).

(2) The code is logging the contents of IPv4 options, before dropping
the connection (in the default configuration).

(3) Many operating systems lock out IP options at the kernel level, so
they never even get to Exim. Many routers lock out such packets too.

(4) If, however, this code is ever exercised, it is trying to format the
contents of a field which in Solaris and Linux is limited to 40 bytes. I
have not checked other OS. It's the value of MAX_IPOPTLEN. Formatting
these 40 bytes is not going to overflow a buffer which is at least 1024
bytes long.

(5) Nevertheless, for the next release, I've put in some paranoia checks
so that this code doesn't ring warning bells again. I do not think it is
worth an emergency release.

As an aside, if anybody knows how I can actually test this code on a
Solaris 8 system, please let me know. I have been unable to find a way
of setting up a TCP/IP call with any IP options set. (I have tried the
"netcat" command. Either I can't drive it properly, or it doesn't work
on this OS, or the various routers etc. in my world block IP options.)

-- 
Philip Hazel            University of Cambridge Computing Service,
ph10@???      Cambridge, England. Phone: +44 1223 334714.