Autor: Jeremy Harris Datum: To: exim-users Betreff: Re: [exim] CVE-2019-10149: already vulnerable ?
On 04/07/2019 21:23, Ian Zimmerman via Exim-users wrote: > After your important discovery that escaping is done on local parts as
> part of SMTP (at least that's how I interpreted the disappearance of the
> backslash from "it\z"), the next question should be but has not yet
> been: why is this needed at all?
Because Exim's string-escaping lets you write a dollar-sign as \x24.
So we need to get a matcher for that into the RE.
> Won't the whole escape sequence be
> transformed into a dollar sign by the time it is matched against the
> rule?
No; the SMTP string-escaping does not provide that facility.
So an attacker can fairly simply get somthing into a local-part
which ends up as a \x24 after the SMTP de-escaping.