Re: [exim-dev] Remote root vulnerability in Exim

Top Page
Delete this message
Reply to this message
Author: David Woodhouse
Date:  
To: Sandro Tosi
CC: exim-dev
Subject: Re: [exim-dev] Remote root vulnerability in Exim
On Mon, 2010-12-13 at 16:21 +0100, Sandro Tosi wrote:
> We have a 4.69 custom installation, so I tried to replicate the exploit
> at [1] but without success (FSVO it ;).
>
> [1] http://seclists.org/fulldisclosure/2010/Dec/222
>
> we have set 'message_size_limit = 100M' and the attack stops with a
>
> 552 Message size exceeds maximum permitted
>
> and log entry:
>
> 2010-12-13 11:50:06 [22328] 1PS5yL-0005o8-R7 rejected from
> <root@???> H=(abcde.com) [195.110.97.5]: message too big:
> read=105155021 max=104857600
>
> is this mean that the attack needs to send more than 100M of data and so
> our config is "safe"?


The body size has nothing to do with it. Personally I tweaked it down to
1MiB on my test box to speed up testing.

It's the size of the *headers* which does it. Your initial headers need
to precisely reach the end of the log buffer in order to trigger the
overflow bug.

> If some unlucky guy is in a position that cannot check how a given exim
> installation was compiled, is there a way to know if
> ALT_CONFIG_ROOT_ONLY was set or not at build time?


Create a config file in /tmp, and as the Exim user try running
exim -C /tmp/myconfig


--
dwmw2