Author: Sandro Tosi Date: To: firstname.lastname@example.org Subject: Re: [exim-dev] Remote root vulnerability in Exim
thanks for the reply :)
On 12/13/2010 08:50 PM, David Woodhouse wrote: > On Mon, 2010-12-13 at 16:21 +0100, Sandro Tosi wrote:
>> we have set 'message_size_limit = 100M' and the attack stops with a ... >> is this mean that the attack needs to send more than 100M of data and so
>> our config is "safe"?
> The body size has nothing to do with it. Personally I tweaked it down to
> 1MiB on my test box to speed up testing.
> It's the size of the *headers* which does it. Your initial headers need
> to precisely reach the end of the log buffer in order to trigger the
> overflow bug.
Mh ok, I see, but now the question is: how can we replicate the exploit
and see if we're exposed? We thought that  was enough, maybe it's
not. Could you please send us (private email is fine, whatever you
prefer) the script you're running?
 http://seclists.org/fulldisclosure/2010/Dec/222 >> If some unlucky guy is in a position that cannot check how a given exim
>> installation was compiled, is there a way to know if
>> ALT_CONFIG_ROOT_ONLY was set or not at build time?
> Create a config file in /tmp, and as the Exim user try running
> exim -C /tmp/myconfig
sigh, it works :(
Thanks in advance,
Linux based Solutions
R&D | Dada.pro
This message was posted to the following mailing lists: