Re: [exim-dev] Remote root vulnerability in Exim

Top Page

Reply to this message
Author: Stefan Fritsch
Date:  
To: exim-dev
CC: security
Subject: Re: [exim-dev] Remote root vulnerability in Exim
James E. Blair wrote:
> On 12/07/2010 01:59 PM, Sergey Kononenko wrote:
> > Hi,
> >
> > While investigating security break in the network of my company,
> > I've captured (by tcpdump) sequence of successful remote root
> > attack through Exim. It was Exim from Debian Lenny
> > (exim4-daemon-light 4.69-9).
>
> Paul Fisher and I have successfully run the exploit against a copy
> of Exim running in a debugger on debian lenny, and we believe it
> utilizes this bug:
>
> http://bugs.exim.org/show_bug.cgi?id=787
>
> It was fixed in 4.70, but not in the version currently in debian
> stable.
>
> James E. Blair
> UC Berkeley


I have found something else that looks fishy, but I don't know if it
can be triggered in practice:

internal_lsearch_find() in src/lookups/lsearch.c sets store_pool to
MAIN_POOL but fails to reset store_pool to old_pool when returning
DEFER in line 199. Maybe this could lead to another function later
wrongly resetting the MAIN_POOL instead of the SEARCH_POOL which could
probbably result in memory corruption.

Cheers,
Stefan