Re: [exim] CVE-2019-10149: already vulnerable ?

Góra strony
Delete this message
Reply to this message
Autor: Jeremy Harris
Data:  
Dla: exim-users
Temat: Re: [exim] CVE-2019-10149: already vulnerable ?
On 04/07/2019 21:23, Ian Zimmerman via Exim-users wrote:
> After your important discovery that escaping is done on local parts as
> part of SMTP (at least that's how I interpreted the disappearance of the
> backslash from "it\z"), the next question should be but has not yet
> been: why is this needed at all?


Because Exim's string-escaping lets you write a dollar-sign as \x24.
So we need to get a matcher for that into the RE.

> Won't the whole escape sequence be
> transformed into a dollar sign by the time it is matched against the
> rule?


No; the SMTP string-escaping does not provide that facility.
So an attacker can fairly simply get somthing into a local-part
which ends up as a \x24 after the SMTP de-escaping.

--
Cheers,
Jeremy