for explanations, see below. patch courtesy of
<endre@???>, works here.
--- src/accept.c.orig Wed Jun 6 17:48:08 2001
+++ src/accept.c Wed Jun 6 17:48:29 2001
@@ -2503,7 +2503,7 @@
nothing on success. The function moan_smtp_batch() does not return -
it exits from the program with a non-zero return code. */
- else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);
+ else if (smtp_reply != NULL) moan_smtp_batch(NULL, "%s", smtp_reply);
}
/* Reset headers so that logging of rejects for a subsequent message doesn't
--
[-]
"`rendes' `thread library' `unix' - ezeknek nincs kozos gyokuk" -- redax
---------- Forwarded message ----------
Date: Wed, 6 Jun 2001 14:03:25 +0200
From: Megyer Laszlo <lez@???>
Reply-To: security-l@???
To: bugtraq@???
Cc: security-l@???
Subject: [Security-l] lil' exim format bug
Hi BugTrackers
Just a little bug to tell:
THE BUG
-------
accept.c, line 2506:
else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);
while moan_smtp_batch is like this:
moan_smtp_batch(char *cmd_buffer, char *format, ...)
So when smtp_reply contains format strings, it get transformed by
moan_smtp_batch().
Why I said that it's a little bug?
----------------------------------
This piece of code is only executed when exim is configured to check incoming mails' headers:
/etc/exim.conf should have an option set:
headers_check_syntax
By default it's turned OFF.
only few ppl turn it on.
So it's NOT vulnerable BY DEFAULT.
Exploitation:
-------------
Try this:
===8<======8<=======8<======
lez:~$ /usr/sbin/exim -bS
mail from:lez@lez
rcpt to:hax0r@lez
data
From:@@%p%p%p%p%p%p%p%p%p%p
.
===8<======8<=======8<=======
Somewhere in the answers you should see:
550 Syntax error in 'From' header: domain missing or malformed: failing address is: @@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40
If you change %p's to %s's, you get segfault. With carefully constructed thing, it's easy to overwrite saved eip with %n's, and get root out of this bug.
No exploit yet, but after the many local format bug exploits it's not a big work to write one for a skilled man.
--
Megyer Laszlo (Lez)
lez@???
__________________________________________________
Security-l maillist - Security-l@???
http://sunserv.kfki.hu/mailman/listinfo/security-l