Re: [exim] CVE-2019-15846: Exim - local or remote attacker c…

Top Page

Reply to this message
Author: Heiko Schlittermann
Date:  
To: exim-users
Subject: Re: [exim] CVE-2019-15846: Exim - local or remote attacker can execute programs with root privileges.
Marco Gaiarin via Exim-users <exim-users@???> (Fr 06 Sep 2019 23:42:03 CEST):
> Mandi! Heiko Schlittermann via Exim-users
> In chel di` si favelave...
>
> > Add - as part of the mail ACL (the ACL referenced by the main config
> > option "acl_smtp_mail"):
> >      deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_sni}}}}
> >      deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_in_peerdn}}}}

>
> For very old exim, eg 4.80, there's no _in_ and _out_ variables, so:
>
>       deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_sni}}}}
>       deny    condition = ${if eq{\\}{${substr{-1}{1}{$tls_peerdn}}}}

>


And, if your Exim is linked against GnuTLS there is no $tls_sni variable
at all. But - to my knowledge - the exploitable string is written to the
-H spool file anyway (and read back).

So you can't protect yourself simply by using the above ACL statements.

Best option:        install 4.92.2
2nd best option:    use the source of your installed version
                    and apply the patch (it is a single line, check
                    the commit 2600301ba6dbac5c9d640c87007a07ee6dcea1f4
                    and look for file src/src/string.c
3rd best option:    do binary patching and replace the string "-tls_sni"
                    by e.g. "-foo_bar" (not sure about the impact
                    though, untested)


Here is the patch, the important part is the line "+if (ch == '\0') ..."

diff --git a/src/src/string.c b/src/src/string.c
index 5e48b445c..c6549bf93 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -224,6 +224,8 @@ interpreted in strings.
 Arguments:
   pp       points a pointer to the initiating "\" in the string;
            the pointer gets updated to point to the final character
+           If the backslash is the last character in the string, it
+           is not interpreted.
 Returns:   the value of the character escape
 */


@@ -236,6 +238,7 @@ const uschar *hex_digits= CUS"0123456789abcdef";
int ch;
const uschar *p = *pp;
ch = *(++p);
+if (ch == '\0') return **pp;
if (isdigit(ch) && ch != '8' && ch != '9')
{
ch -= '0';
@@ -1210,8 +1213,8 @@ memcpy(g->s + p, s, count);
g->ptr = p + count;
return g;
}
-
-
+
+
gstring *
string_cat(gstring *string, const uschar *s)
{


    Best regards from Dresden/Germany
    Viele Grüße aus Dresden
    Heiko Schlittermann
--
 SCHLITTERMANN.de ---------------------------- internet & unix support -
 Heiko Schlittermann, Dipl.-Ing. (TU) - {fon,fax}: +49.351.802998{1,3} -
 gnupg encrypted messages are welcome --------------- key ID: F69376CE -
 ! key id 7CBF764A and 972EAC9F are revoked since 2015-01 ------------ -