Date: 9 Jan 2005 10:49:26 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [UNIX] Exim host_aton() Buffer Overflow Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Exim host_aton() Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
Exim is "a message transfer agent developed for use on UNIX systems".
Local exploitation of a buffer overflow vulnerability in Exim 4.41 allows
execution of arbitrary commands with elevated privileges.
DETAILS
Vulnerable Systems:
* Exim version 4.42 and prior
Immune Systems:
* Exim version 4.43 or newer
The problem specifically exists in the host_aton function. The function
fails to check the number of elements it stores in a fixed size array. The
elements come from a user-controlled string and are passed into the
program from a command line option.
Analysis:
Exploitation of this vulnerability will give an attacker access to the
mailer uid. The exim mailer is setuid root, but drops privileges before
the vulnerable code is reached. Having the mailer uid may allow access to
sensitive information in e-mail messages or possibly further elevation.
Vendor Response:
A patch for Exim release 4.43 which addresses this vulnerability is
available at:
<http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html>;
http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html
The patch will be incorporated into a future Exim release (4.50).
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0021>;
CAN-2005-0021
Disclosure Timeline:
12/23/2004 - Initial vendor notification
12/29/2004 - Initial vendor response
01/07/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com.> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?type=vulnerabilities>;
http://www.idefense.com/application/poi/display?type=vulnerabilities
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
