Exim IP Address Command Line Argument Local Buffer Overflow Vulnerability
BID:12268
Info
Exim IP Address Command Line Argument Local Buffer Overflow Vulnerability
| Bugtraq ID: | 12268 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2005-0021 |
| Remote: | No |
| Local: | Yes |
| Published: | Jan 14 2005 12:00AM |
| Updated: | Jul 12 2009 09:27AM |
| Credit: | The individual or individuals responsible for the discovery of this issue wish to remain anonymous. |
| Vulnerable: |
University of Cambridge Exim 4.43 University of Cambridge Exim 4.42 University of Cambridge Exim 4.41 University of Cambridge Exim 4.40 SuSE Linux 8.1 S.u.S.E. Linux Personal 9.2 S.u.S.E. Linux Personal 9.1 S.u.S.E. Linux Personal 9.0 x86_64 S.u.S.E. Linux Personal 9.0 S.u.S.E. Linux Personal 8.2 ALT Linux ALT Linux Junior 2.3 ALT Linux ALT Linux Compact 2.3 |
| Not Vulnerable: | |
Discussion
Exim IP Address Command Line Argument Local Buffer Overflow Vulnerability
A local buffer overflow vulnerability triggered by an excessively long command line argument affects Exim. This issue is due to a failure of the application to validate the length of user-supplied data prior to attempting to store it in process buffers.
An attacker may leverage this issue to execute arbitrary code with the privileges of the affected mailer application. As the application is a setuid application, it is possible that further privilege escalation may occur.
A local buffer overflow vulnerability triggered by an excessively long command line argument affects Exim. This issue is due to a failure of the application to validate the length of user-supplied data prior to attempting to store it in process buffers.
An attacker may leverage this issue to execute arbitrary code with the privileges of the affected mailer application. As the application is a setuid application, it is possible that further privilege escalation may occur.
Exploit / POC
Exim IP Address Command Line Argument Local Buffer Overflow Vulnerability
The following proof of concept exploits and have been made available by Rafael San Miguel Carrasco <[email protected]> (eximExploit.tar.gz), pi3ki31ny (p_exim.c), and Tony Lockett "plugger" <[email protected]> (exim-exploit.c).
The following proof of concept exploits and have been made available by Rafael San Miguel Carrasco <[email protected]> (eximExploit.tar.gz), pi3ki31ny (p_exim.c), and Tony Lockett "plugger" <[email protected]> (exim-exploit.c).
Solution / Fix
Exim IP Address Command Line Argument Local Buffer Overflow Vulnerability
Solution:
The University of Cambridge has reportedly released a patch dealing with this issue, although this is not confirmed. Users are advised to contact the vendor for more information.
SuSE Linux has released a security summary report (SUSE-SR:2005:002) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.
ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.
University of Cambridge Exim 4.42
Solution:
The University of Cambridge has reportedly released a patch dealing with this issue, although this is not confirmed. Users are advised to contact the vendor for more information.
SuSE Linux has released a security summary report (SUSE-SR:2005:002) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.
ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.
University of Cambridge Exim 4.42
-
SuSE exim-4.42-3.2.i586.rpm
ftp://ftp.suse.com/pub/suse/i386/update/9.2/rpm/i586/exim-4.42-3.2.i58 6.rpm -
SuSE exim-4.42-3.2.x86_64.rpm
ftp://ftp.suse.com/pub/suse/x86_64/update/9.2/rpm/x86_64/exim-4.42-3.2 .x86_64.rpm
References
Exim IP Address Command Line Argument Local Buffer Overflow Vulnerability
References:
References:
- [exim] 2 smallish security issues (Philip Hazel)
- [security-announce] I: updated packages available (ALT Linux)
- Exim homepage (Exim)
- exim dns_buld_reverse() proof-of-concept (Rafael San Miguel Carrasco
) - iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow (iDEFENSE)