A local root vulnerability has been discovered in
Exim 4.x (4.10 verified and exploit available) and in
Exim 3.x (3.35 verified).
Impact
------
The vulnerability can only be exploited by the
"admin user" of exim, who is determined by compiled-in
values. Thus the RISK of this vulnerability is LOW.
Details
-------
This is a format string bug in daemon.c, line 976:
pid_file_path can be changed on the command line.
This line is in the function daemon_go(), which only
gets executed when the user is an exim-admin-user.
This restricts the impact of this vulnerability a lot.
Standard configurations on all distributions should be
safe (verified: Debian Woody i386)
Solution
--------
Exim developers have been informed and a patch will be
ready shortly.
Exploit
-------
Please find attached a demonstration exploit of this
vulnerability, tested on Debian Woody i386.
There are four important defines to change before the
exploit will work - see the file for details.
Discovered by
-------------
Thomas Wana <01psi194 (at) fhwn.ac (dot) at [email concealed]>
Credits
-------
greetings to the hoagie industries security group :-)
--------
A local root vulnerability has been discovered in
Exim 4.x (4.10 verified and exploit available) and in
Exim 3.x (3.35 verified).
Impact
------
The vulnerability can only be exploited by the
"admin user" of exim, who is determined by compiled-in
values. Thus the RISK of this vulnerability is LOW.
Details
-------
This is a format string bug in daemon.c, line 976:
sprintf(CS buff, CS pid_file_path, ""); /* Backward compatibility */
pid_file_path can be changed on the command line.
This line is in the function daemon_go(), which only
gets executed when the user is an exim-admin-user.
This restricts the impact of this vulnerability a lot.
Standard configurations on all distributions should be
safe (verified: Debian Woody i386)
Solution
--------
Exim developers have been informed and a patch will be
ready shortly.
Exploit
-------
Please find attached a demonstration exploit of this
vulnerability, tested on Debian Woody i386.
There are four important defines to change before the
exploit will work - see the file for details.
Discovered by
-------------
Thomas Wana <01psi194 (at) fhwn.ac (dot) at [email concealed]>
Credits
-------
greetings to the hoagie industries security group :-)
[ reply ]