[exim] Exim Security Advisory CVE-2014-2972

Top Page

Reply to this message
Author: Todd Lyons
To: Exim Users, Exim Dev
Subject: [exim] Exim Security Advisory CVE-2014-2972
The Exim developers want to inform you of a local vulnerability in Exim.
Exploitability requires the ability to provide unsanitised data to a
data source used by Exim for looking up a value, and the impact is the
ability to get a string expansion done as the Exim runtime user (so, run
commands, etc) because in a certain scenario, there's a
double-expansion, so it's equivalent to the result of the data being
"eval"d again. This bug was discovered by Patrick William of Rack911,
and reported to us by the Cpanel Security Team. Exploitation using this
method was discovered by penetration testing; it was not observed in the
wild. This security advisory has been assigned CVE-2014-2972.

We would like to publicly thank Rack911 and Cpanel for responsibly
notifying the Exim developers with a description of the problem
and coordinating their release of software fixes with ours. Appearing so
close to the end of the release cycle allowed us to handle the issue
with relative ease.

This is not a remote exploit. It requires a user account on a server
where Exim is configured to do lookups against files to which the user
has edit access. As such, this does not require a Security Release, so
we will proceed with the regular release cycle.

The root cause of this issue is the arguments to mathematical comparison
operations are expanded twice (<, <=, >, >=, =). The intent of the
original code was the first expansion could (for example) lookup an item
from a file. The assumption was that entry would be some form of valid
integer so that value was then passed to the expand function again to do
a numeric conversion of values such as 19k or 45M to integers. However,
if the content of the lookup is under direct user control, they could
insert something with an expansion, such as:
${run {/bin/touch /tmp/OUCH}}
Since the data is not sanitized when the second expansion occurs
(intended to process numerical conversion), that command would get
executed as the exim user.

We Exim developers agree this behavior is a bug in Exim because it is
expected that an argument to a function will only be expanded once. As
such, we have a patch which will be applied to 4.83 when it is
officially released on Tue which will modify this behavior: for math
based comparisons, the arguments are only expanded once, followed by a
numeric only conversion. This is changing a behavior that has been
present in Exim since the original code was committed in 2004.

- - -- Todd Lyons, pp The Exim Maintainers.

- -- 
Regards...        Todd
Linux kernel   load average: 0.45, 0.71, 0.94