Author: David Woodhouse Date: To: W B Hacker CC: exim-dev, Ted Cooper Subject: Re: [exim-dev] Remote root vulnerability in Exim
On Fri, 2010-12-10 at 10:35 -0500, W B Hacker wrote: > That said - I am not sure THIS exploit actually puts the average system at risk.
>
> Surely we would have seen more real-world compromises over the many years?
I wouldn't be so sure. It may have been there for ever, but ironically I
don't think it really became a *danger* until we fixed it. A commit
message saying 'Buffer overrun fix' is a bit of an open invitation to
come and play.
It is unfortunate that we fixed a buffer overflow, didn't think of it as
a potential security issue (which *all* buffer overflows are unless you
can prove otherwise), and then didn't even call it out in the 4.70
announcement.
(I don't intend that as criticism of the people involved; just want to
make sure we recognise the right thing to do in future).
In retrospect, we probably should have got a CVE assigned for it at the
time.
> Was the OP actually hit with this?
> Or did he *write* it? (no apologies, w/r servers, I am one paranoid MF!)
> And is the community now being enlisted to confirm it can work - and show how to
> refine it?
I don't think that's likely -- it had already worked by the time he
showed it to us, and we haven't refined it. We've just had to work out
for ourselves which bug it was triggering and how, but the person who
wrote the attack will have started off with the bug and developed the
exploit from that.
> [1] for several reasons - throttled bandwidth, per-IP connection limit, limited
> total connections, rDNS hard-fail, and finally defer if the deliberately limited
> pool of PostgreSQL connections is used up.
None of those protect you against this. It only needs *one* connection.
And it doesn't even *need* to send you 50MiB of data; any post-DATA
rejection would suffice. It's just that a 50MiB mail is a fairly good
bet for rejection. The EICAR test virus would be another reasonable bet.