[exim-dev] [Bug 2199] Exim use-after-free vulnerability whil…

Top Page
Delete this message
Reply to this message
Author: admin
Date:  
To: exim-dev
Subject: [exim-dev] [Bug 2199] Exim use-after-free vulnerability while reading mail header
https://bugs.exim.org/show_bug.cgi?id=2199

--- Comment #8 from meh <meh@???> ---
Oh, I was talking about the source code of 4.89. In the current master, it is
here:
https://github.com/Exim/exim/blob/master/src/src/receive.c#L1790

What this PoC does is:
1. send unrecognized command to adjust yield_length and make it less than 0x100
2. send BDAT 1
3. send one character to reach the length of BDAT
3. send an BDAT command without size and with non-printable character ->
trigger synprot_error and therefore call store_get
// back to receive_msg and exim keeps trying to read header
4. send a huge message until store_extend called
5. uaf

This PoC is affected by the block layout(yield_length), so this line:
`r.sendline('a'*0x1250+'\x7f')` should be adjusted according to the program
state. I tested on my ubuntu 16.04, compiled with the attached Local/Makefile
(simply make -j8). I also attach the updated PoC for current master and the
debug report.

--
You are receiving this mail because:
You are on the CC list for the bug.