Exim Illegal IPv6 Address Buffer Overflow Vulnerability
BID:12185
Info
Exim Illegal IPv6 Address Buffer Overflow Vulnerability
| Bugtraq ID: | 12185 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2005-0021 |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 06 2005 12:00AM |
| Updated: | Jul 12 2009 09:27AM |
| Credit: | Discovery is credited to an anonymous source. |
| Vulnerable: |
University of Cambridge Exim 4.43 University of Cambridge Exim 4.42 University of Cambridge Exim 4.41 University of Cambridge Exim 4.40 University of Cambridge Exim 4.34 University of Cambridge Exim 4.33 University of Cambridge Exim 4.32 University of Cambridge Exim 4.21 University of Cambridge Exim 4.20 University of Cambridge Exim 4.10 SuSE Linux 8.1 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 S.u.S.E. Linux Personal 8.2 Redhat Fedora Core3 Redhat Fedora Core2 Debian Linux 3.0 sparc Debian Linux 3.0 s/390 Debian Linux 3.0 ppc Debian Linux 3.0 mipsel Debian Linux 3.0 mips Debian Linux 3.0 m68k Debian Linux 3.0 ia-64 Debian Linux 3.0 ia-32 Debian Linux 3.0 hppa Debian Linux 3.0 arm Debian Linux 3.0 alpha ALT Linux ALT Linux Junior 2.3 ALT Linux ALT Linux Compact 2.3 |
| Not Vulnerable: | |
Discussion
Exim Illegal IPv6 Address Buffer Overflow Vulnerability
Exim is reported susceptible to a buffer overflow vulnerability when attempting to parse illegal IPv6 addresses. This issue is due to a failure of the application to properly bounds check user-supplied input prior to copying it to a fixed-size memory buffer.
The original reporter suggested that this vulnerability may be exploited to gain elevated privileges via calling Exim with unspecified command line arguments. Gaining elevated privileges would only be possible where the Exim binary is installed with setuid privileges.
It is conjectured that code paths other than those pertaining to command line processing may result in remotely exploitable buffer overflow vulnerabilities, but this is not confirmed at the present time.
Exim is reported susceptible to a buffer overflow vulnerability when attempting to parse illegal IPv6 addresses. This issue is due to a failure of the application to properly bounds check user-supplied input prior to copying it to a fixed-size memory buffer.
The original reporter suggested that this vulnerability may be exploited to gain elevated privileges via calling Exim with unspecified command line arguments. Gaining elevated privileges would only be possible where the Exim binary is installed with setuid privileges.
It is conjectured that code paths other than those pertaining to command line processing may result in remotely exploitable buffer overflow vulnerabilities, but this is not confirmed at the present time.
Exploit / POC
Exim Illegal IPv6 Address Buffer Overflow Vulnerability
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution / Fix
Exim Illegal IPv6 Address Buffer Overflow Vulnerability
Solution:
The vendor has released patches, and a snapshot version of Exim to address this issue. These patches are for version 4.43 of Exim, but the vendor has reported that they may also work for previous versions.
The patches can be extracted from the referenced email message from Philip Hazel.
Debian has released an advisory (DSA 637-1) and updates to address this vulnerability in exim-tls. Please see the referenced advisory for further information regarding obtaining and applying appropriate updates.
RedHat has released two advisories called FEDORA-2005-001 to address this, and other issues for Fedora Core 2 and 3. Please see the referenced advisories for further information.
Ubuntu has released advisory USN-56-1 to address this issue. Please see the attached advisory for further information on obtaining and applying fixes.
Debian has released advisory DSA 635-1 to address this issue. Please see the attached advisory for further information on obtaining and applying fixes.
Gentoo has released an advisory GLSA 200501-23 to address issues in Exim. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:
emerge --sync
emerge --ask --oneshot --verbose ">=mail-mta/exim-4.43-r2"
SuSE Linux has released a security summary report (SUSE-SR:2005:002) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.
ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.
University of Cambridge Exim 4.10
University of Cambridge Exim 4.20
University of Cambridge Exim 4.21
University of Cambridge Exim 4.32
University of Cambridge Exim 4.33
University of Cambridge Exim 4.34
University of Cambridge Exim 4.40
University of Cambridge Exim 4.41
University of Cambridge Exim 4.42
University of Cambridge Exim 4.43
Solution:
The vendor has released patches, and a snapshot version of Exim to address this issue. These patches are for version 4.43 of Exim, but the vendor has reported that they may also work for previous versions.
The patches can be extracted from the referenced email message from Philip Hazel.
Debian has released an advisory (DSA 637-1) and updates to address this vulnerability in exim-tls. Please see the referenced advisory for further information regarding obtaining and applying appropriate updates.
RedHat has released two advisories called FEDORA-2005-001 to address this, and other issues for Fedora Core 2 and 3. Please see the referenced advisories for further information.
Ubuntu has released advisory USN-56-1 to address this issue. Please see the attached advisory for further information on obtaining and applying fixes.
Debian has released advisory DSA 635-1 to address this issue. Please see the attached advisory for further information on obtaining and applying fixes.
Gentoo has released an advisory GLSA 200501-23 to address issues in Exim. Please see the referenced advisory for more information. Gentoo users may carry out the following commands to update their computers:
emerge --sync
emerge --ask --oneshot --verbose ">=mail-mta/exim-4.43-r2"
SuSE Linux has released a security summary report (SUSE-SR:2005:002) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.
ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.
University of Cambridge Exim 4.10
-
SuSE exim-4.12-130.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/exim-4.12-130.i58 6.rpm -
SuSE exim-4.12-130.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/exim-4.12-130.i58 6.rpm -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.20
-
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.21
-
SuSE exim-4.22-143.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.0/rpm/i586/exim-4.22-143.i58 6.rpm -
SuSE exim-4.22-143.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.0/rpm/x86_64/exim-4.22-143 .x86_64.rpm -
SuSE exim-4.30-25.4.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.1/rpm/i586/exim-4.30-25.4.i5 86.rpm -
SuSE exim-4.30-25.4.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.1/rpm/x86_64/exim-4.30-25. 4.x86_64.rpm -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.32
-
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.33
-
Fedora exim-4.43-1.FC2.1.i386.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-4.43-1.FC2.1.x86_64.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-debuginfo-4.43-1.FC2.1.i386.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-debuginfo-4.43-1.FC2.1.x86_64.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-doc-4.43-1.FC2.1.i386.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-doc-4.43-1.FC2.1.x86_64.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-mon-4.43-1.FC2.1.i386.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-mon-4.43-1.FC2.1.x86_64.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-sa-4.43-1.FC2.1.i386.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
Fedora exim-sa-4.43-1.FC2.1.x86_64.rpm
RedHat Fedora Core 2
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/2/ -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.34
-
Ubuntu exim4-base_4.34-5ubuntu1.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-base_4.34-5u buntu1.1_amd64.deb -
Ubuntu exim4-base_4.34-5ubuntu1.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-base_4.34-5u buntu1.1_powerpc.deb -
Ubuntu exim4-config_4.34-5ubuntu1.1_all.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-config_4.34- 5ubuntu1.1_all.deb -
Ubuntu exim4-daemon-heavy_4.34-5ubuntu1.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-heavy _4.34-5ubuntu1.1_amd64.deb -
Ubuntu exim4-daemon-heavy_4.34-5ubuntu1.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-heavy _4.34-5ubuntu1.1_i386.deb -
Ubuntu exim4-daemon-heavy_4.34-5ubuntu1.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-heavy _4.34-5ubuntu1.1_powerpc.deb -
Ubuntu exim4-daemon-light_4.34-5ubuntu1.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-light _4.34-5ubuntu1.1_amd64.deb -
Ubuntu exim4-daemon-light_4.34-5ubuntu1.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-light _4.34-5ubuntu1.1_i386.deb -
Ubuntu exim4-daemon-light_4.34-5ubuntu1.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/main/e/exim4/exim4-daemon-light _4.34-5ubuntu1.1_powerpc.deb -
Ubuntu eximon4_4.34-5ubuntu1.1_amd64.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/universe/e/exim4/eximon4_4.34-5 ubuntu1.1_amd64.deb -
Ubuntu eximon4_4.34-5ubuntu1.1_i386.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/universe/e/exim4/eximon4_4.34-5 ubuntu1.1_i386.deb -
Ubuntu eximon4_4.34-5ubuntu1.1_powerpc.deb
Ubuntu 4.10 (Warty Warthog)
http://security.ubuntu.com/ubuntu/pool/universe/e/exim4/eximon4_4.34-5 ubuntu1.1_powerpc.deb -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.40
-
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.41
-
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.42
-
SuSE exim-4.42-3.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/exim-4.42-3.2.i58 6.rpm -
SuSE exim-4.42-3.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/exim-4.42-3.2 .x86_64.rpm -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
University of Cambridge Exim 4.43
-
Fedora exim-4.43-1.FC3.1.i386.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-4.43-1.FC3.1.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-debuginfo-4.43-1.FC3.1.i386.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-debuginfo-4.43-1.FC3.1.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-doc-4.43-1.FC3.1.i386.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-doc-4.43-1.FC3.1.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-mon-4.43-1.FC3.1.i386.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-mon-4.43-1.FC3.1.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-sa-4.43-1.FC3.1.i386.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
Fedora exim-sa-4.43-1.FC3.1.x86_64.rpm
RedHat Fedora Core 3
http://download.fedora.redhat.com/pub/fedora/linux/core/updates/3/ -
University of Cambridge exim-snapshot.tar.gz
ftp://ftp.csx.cam.ac.uk/pub/software/email/exim/Testing/exim-snapshot. tar.gz
References
Exim Illegal IPv6 Address Buffer Overflow Vulnerability
References:
References:
- [exim] 2 smallish security issues (Philip Hazel)
- [security-announce] I: updated packages available (ALT Linux)
- Exim homepage (Exim)
- Exim host_aton() Buffer Overflow Vulnerability (iDEFENSE)