Re: [exim] CVE-2019-10149: already vulnerable ?

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MCyborg at <-
M 
Delete this message
Reply to this message
Author: Jeremy Harris
Date:  
To: exim-users
Subject: Re: [exim] CVE-2019-10149: already vulnerable ?
On 04/07/2019 21:23, Ian Zimmerman via Exim-users wrote:
> After your important discovery that escaping is done on local parts as
> part of SMTP (at least that's how I interpreted the disappearance of the
> backslash from "it\z"), the next question should be but has not yet
> been: why is this needed at all?

Because Exim's string-escaping lets you write a dollar-sign as \x24.
So we need to get a matcher for that into the RE.

> Won't the whole escape sequence be
> transformed into a dollar sign by the time it is matched against the
> rule?

No; the SMTP string-escaping does not provide that facility.
So an attacker can fairly simply get somthing into a local-part
which ends up as a \x24 after the SMTP de-escaping.

--
Cheers,
Jeremy

This message was posted to the following mailing lists:
Exim-users
Mailing List Info | Nearby Messages		<-Re: [exim] CVE-2019-10149: already vulnerable ?[exim] Delivering case sensitive...->
Tahini and Hummus and Cumin Development Archives administrated by cumin AdminsLurker (version 2.3)