Re: [exim-dev] Remote root vulnerability in Exim

Top Page

Reply to this message
Author: Oli
Date:  
To: exim-dev
Subject: Re: [exim-dev] Remote root vulnerability in Exim


Marc Haber wrote:
> On Thu, Dec 09, 2010 at 11:29:14AM +0000, Jeremy Harris wrote:
>
>> Alternatively, the Debian config uses HeaderX for transmission of
>> generated content, and expands it deliberately.
>>
>
> We don't do such things. In fact, our configuration is amazingly like
> exim's stock config, it's only more automatic.
>
> Greetings
> Marc
>
>

Hi guys,

Please excuse me posting to the dev list as I'm not an Exim dev, but I
believe I have a couple of vulnerable servers and wanted an expert
opinion on some remedial action I've taken:

* Remounted /var with nosuid

* Added global config to limit the overall header size to 5k and
individual header lines to 512 bytes, using header_maxsize and
header_line_maxsize.****

The first would only mitigate the current exploit, as it may be possible
to create suid binaries under somewhere like /tmp instead.

It was the second I'm interested in. Do you know if the bug which makes
the remote execution exploit possible is triggered before or after the
header size or line length is checked?

Thanks very much in advance.

Thanks,
-Oli

--
Oli Comber
Systems Developer
3aIT Limited - Official Corporate Sponsor of the British Bobsleigh Team

4-10 Barttelot Rd Horsham West Sussex RH12 1DQ
T: +44 (0)203 - 3843932 F: +44 (0)870 116 0793

3aIT Limited is a company registered in England and Wales.
CoReg: 3866698 VATReg: 771388600


Visit www.3aIT.co.uk for Design, Systems, Support

Disclaimer:
The information contained within this email is confidential and may be legally privileged. It is intended solely for the addressee. If you are not the intended recipient, any disclosure, copying or distribution of this email is prohibited and may be unlawful. The content of this email represents the views of the individual and not necessarily 3aIT Limited. 3aIT Limited reserves the right to monitor the content of all emails in accordance with lawful business practice. Whilst every effort is made to ensure that attachments are free from computer viruses before transmission, 3aIT Limited does not accept any liability in respect of any virus that is not detected.
3aIT Limited