Date: 6 May 2004 18:37:37 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [UNIX] Exim Buffer Overflows (sender_verify, headers_check_syntax)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Exim Buffer Overflows (sender_verify, headers_check_syntax)
------------------------------------------------------------------------
SUMMARY
" <http://www.exim.org/>; Exim is a message transfer agent (MTA) developed
at the University of Cambridge for use on Unix systems connected to the
Internet. It is freely available under the terms of the GNU General Public
License. In style it is similar to Smail 3, but its facilities are more
general. There is a great deal of flexibility in the way mail can be
routed, and there are extensive facilities for checking incoming mail.
Exim can be installed in place of Sendmail, although the configuration of
Exim is quite different to that of Sendmail."
Two buffer overflow vulnerabilities have been found in Exim. The
vulnerabilities cannot be exploited by default, as they require special
functionality to be enabled (that are not enabled by default).
DETAILS
Vulnerable Systems:
* Exim version 3.35 and prior (both vulnerabilities)
* Exim version 4.32 and prior (2nd vulnerability only)
Georgi Guninski has reported two vulnerabilities in Exim that can be
exploited by malicious attacker.
1) By issuing a malformed MAIL FROM address, an attacker can exploit a
buffer overflow vulnerability if the setting of "sender_verify" is set to
"true" (this is not default setting) in the exim.conf file.
2) Due to insufficient checking on the length of the user provided data,
an out of bounds pointer can be accessed. This vulnerability requires that
"headers_check_syntax" or "require verify = header_syntax" (for Exim 4.xx)
is set (this is not default setting) in the exim.conf file.
Exploits:
Exploit codes can be found in the original article.
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]>
Georgi Guninski.
The original article can be found at:
<http://www.guninski.com/exim1.html>; http://www.guninski.com/exim1.html
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
