Re: [exim-dev] Remote root vulnerability in Exim

Top Page

Reply to this message
Author: Sandro Tosi
Date:  
To: exim-dev@exim.org
Subject: Re: [exim-dev] Remote root vulnerability in Exim
Hi David,
thanks for the reply :)

On 12/13/2010 08:50 PM, David Woodhouse wrote:
> On Mon, 2010-12-13 at 16:21 +0100, Sandro Tosi wrote:
>> we have set 'message_size_limit = 100M' and the attack stops with a

...
>> is this mean that the attack needs to send more than 100M of data and so
>> our config is "safe"?
>
> The body size has nothing to do with it. Personally I tweaked it down to
> 1MiB on my test box to speed up testing.
>
> It's the size of the *headers* which does it. Your initial headers need
> to precisely reach the end of the log buffer in order to trigger the
> overflow bug.


Mh ok, I see, but now the question is: how can we replicate the exploit
and see if we're exposed? We thought that [1] was enough, maybe it's
not. Could you please send us (private email is fine, whatever you
prefer) the script you're running?

[1] http://seclists.org/fulldisclosure/2010/Dec/222

>> If some unlucky guy is in a position that cannot check how a given exim
>> installation was compiled, is there a way to know if
>> ALT_CONFIG_ROOT_ONLY was set or not at build time?
>
> Create a config file in /tmp, and as the Exim user try running
> exim -C /tmp/myconfig


sigh, it works :(

Thanks in advance,
--
Sandro Tosi
Product Engineer
Linux based Solutions
Hosting Products
R&D | Dada.pro
sandro.tosi@???