Date: 9 Jan 2005 10:47:10 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [UNIX] Exim auth_spa_server() Buffer Overflow Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Exim auth_spa_server() Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.exim.org/>; Exim is a message transfer agent developed for use
on UNIX systems. Remote exploitation of a buffer overflow vulnerability in
Exim 4.41 allows execution of arbitrary commands with elevated privileges.
DETAILS
Vulnerable Systems:
* Exim version 4.42 and prior
To determine if the Exim version being used is vulnerable, connect to port
25 of the machine with Exim installed and type:
EHLO localhost
If AUTH NTLM appears in the output the application may be vulnerable.
Immune Systems:
* Exim version 4.43 or newer
Details:
Exim is a message transfer agent developed for use on UNIX systems. The
problem specifically exists in the auth_spa_server function. The function
fails to check the length of input to spa_base64_to_bits(), which decodes
a Base64-encoded string into a buffer of a fixed length. This string is
user-controlled and passed to the program from a remote connection.
Analysis:
Exploitation of this vulnerability will give an attacker remote access to
the mailer uid. The Exim mailer is setuid root, but drops privileges
before the vulnerable code is reached. A remote attacker may be able to
use other vulnerabilities to further elevate their privileges.
This vulnerability is only exploitable when the spa authentication method
has been configured by setting AUTH_SPA=yes in Local/Makefile
Vendor Response:
A patch for Exim release 4.43 which addresses this vulnerability is
available at:
<http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html>;
http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html
The patch will be incorporated into a future Exim release (4.50).
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0022>;
CAN-2005-0022
Disclosure Timeline:
12/23/2004 - Initial vendor notification
12/29/2004 - Initial vendor response
01/07/2004 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com.> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=178&type=vulnerabilities>; http://www.idefense.com/application/poi/display?id=178&type=vulnerabilities
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
