Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5103.htm

Exim potential local buffer overflow



14th Feb 2002 [SBWID-5103]
COMMAND

	Exim potential local buffer overflow

SYSTEMS AFFECTED

	Exim 3.34 and lower

PROBLEM

	The  Analyzer,  Izik  and  Mixter  of   2xs   security   research   team
	[http://2xss.com/] found :
	

	Its looks like there is  few  insecure/lame  programming  in  exim  mail
	server up to current version.
	

	first lets take a look at the file:
	

	[2xs:root:~] ls -la /usr/exim/bin/exim

	-rws--x--x    1 root     root      2061186 Oct 23 12:56

	/usr/exim/bin/exim*

	[2xs:root:~]

	

	Suid goodie.
	

	[2xs:w00p:/root] id

	uid=1001(w00p) gid=100(users) groups=100(users)

	[2xs:w00p:/root] /usr/exim/bin/exim -F `perl -e\' print \"A\" x 32770\'` -C

	`perl -e\' print \"A\" x 32768\'`

	Segmentation fault

	[2xs:w00p:/root]

	

	Many other argument should work as well  (as  long  there  is  -C  among
	them)
	

	[2xs:root:~] gdb /usr/exim/bin/exim

	GNU gdb 5.0

	Copyright 2000 Free Software Foundation, Inc.

	GDB is free software, covered by the GNU General Public License, and you

	are

	welcome to change it and/or distribute copies of it under certain

	conditions.

	Type \"show copying\" to see the conditions.

	There is absolutely no warranty for GDB.  Type \"show warranty\" for

	details.

	This GDB was configured as \"i386-slackware-linux\"...

	(gdb) r -F `perl -e\' print \"A\" x 32770\'` -C `perl -e\' print \"A\" x

	32768\'`

	Starting program: /usr/exim/bin/exim -F `perl -e\' print \"A\" x 32770\'` -C

	`perl -e\' print \"A\" x

	32768\'`

	

	Program received signal SIGSEGV, Segmentation fault.

	strcpy (dest=0x820e208 \'A\' <repeats 200 times>..., src=0xbfff7b48 \'A\'

	<repeats 200 times>...)

	    at ../sysdeps/generic/strcpy.c:40

	40      ../sysdeps/generic/strcpy.c: No such file or directory.

	(gdb) info registers

	eax            0x48216641       1210148417

	ecx            0x482166bf       1210148543

	edx            0xbfffa941       -1073764031

	ebx            0xbffef8d4       -1073809196

	esp            0xbffeeefc       0xbffeeefc

	ebp            0xbffeef00       0xbffeef00

	esi            0x820e208        136372744

	edi            0x3      3

	eip            0x401690e4       0x401690e4

	eflags         0x10286  66182

	cs             0x23     35

	ss             0x2b     43

	ds             0x2b     43

	es             0x2b     43

	fs             0x0      0

	gs             0x0      0

	fctrl          0x37f    895

	fstat          0x0      0

	ftag           0xffff   65535

	fiseg          0x23     35

	fioff          0x4009ca84       1074383492

	foseg          0x2b     43

	fooff          0x400fa440       1074766912

	fop            0x49b    1179

	

	after short debugging we found that there is no overflow since  the  eip
	register coredumped in the code segment and not  in  the  data  segment,
	yet we believe that there might be  a  way  to  exploit  this  bug  with
	log_write(), we are not going to deliver a  working  exploit  until  the
	vendor will research and fix this bug.
	

	In version 3.21 and lower there is another small bug with -t flag  again
	non exploitable just bad programming.

SOLUTION

	Note : this is NOT an official patch, but provided  by  the  bug  finder
	(patch to version 3.34)
	

	--------------C2FFD0A39E3737A0A718E02C

	Content-Type: TEXT/PLAIN; CHARSET=x-user-defined; NAME=\"exim-3.34-patch.diff\"

	Content-ID: <Pine.LNX.4.43.0202131118553.9724@mail.securityfocus.com>

	Content-Description: 

	Content-Disposition: INLINE; FILENAME=\"exim-3.34-patch.diff\"

	

	diff -Nru exim-3.34/src.old/accept.c exim-3.34/src/accept.c

	--- exim-3.34/src.old/accept.c	Tue Feb 12 13:40:44 2002

	+++ exim-3.34/src/accept.c	Tue Feb 12 13:47:33 2002

	@@ -1506,7 +1506,7 @@

	 

	 /* Save for comparing with next one */

	 

	-strcpy(last_message_id, message_id);

	+strncpy(last_message_id, message_id, MESSAGE_ID_LENGTH); /* Fixed a one-byte overflow -- Mixter */

	 

	 /* Add the current message id onto the current process info string if

	 it will fit. */

	diff -Nru exim-3.34/src.old/deliver.c exim-3.34/src/deliver.c

	--- exim-3.34/src.old/deliver.c	Tue Feb 12 13:40:44 2002

	+++ exim-3.34/src/deliver.c	Tue Feb 12 14:15:53 2002

	@@ -3704,7 +3704,7 @@

	 the message size. */

	 

	 deliver_force = forced;

	-strcpy(message_id, id);

	+strncpy(message_id, id, MESSAGE_ID_LENGTH);

	 return_count = 0;

	 message_size = 0;

	 

	@@ -4083,7 +4083,8 @@

	         slen += 3;

	         }

	 

	-      strcpy(h->text + slen, s);

	+      /* Fixed potential remote vulnerability -- Mixter */

	+      strncpy(h->text + slen, s, size-slen-1);

	       slen += len;

	       }

	 

	diff -Nru exim-3.34/src.old/host.c exim-3.34/src/host.c

	--- exim-3.34/src.old/host.c	Tue Feb 12 13:40:44 2002

	+++ exim-3.34/src/host.c	Tue Feb 12 19:19:52 2002

	@@ -281,7 +281,7 @@

	   }

	 

	 sender_fullhost =

	-  store_malloc((int)strlen(fullhost) + (int)strlen(rcvhost) + 2);

	+  store_malloc((int)strlen(fullhost) + (int)strlen(rcvhost) + 3);

	 sender_rcvhost = sender_fullhost + (int)strlen(fullhost) + 1;

	 strcpy(sender_fullhost, fullhost);

	 strcpy(sender_rcvhost, rcvhost);

	@@ -471,7 +471,7 @@

	 

	   next = store_malloc(sizeof(ip_address_item));

	   next->next = NULL;

	-  strcpy(next->address, s);

	+  strncpy(next->address, s, 46);

	 

	   if (yield == NULL) yield = last = next; else

	     {

	@@ -571,7 +571,7 @@

	 /* If there is no buffer, put the string into some new store. */

	 

	 if (buffer == NULL) return string_copy(yield);

	-strcpy(buffer, yield);

	+strncpy(buffer, yield, 46);

	 return buffer;

	 }

	 

	diff -Nru exim-3.34/src.old/log.c exim-3.34/src/log.c

	--- exim-3.34/src.old/log.c	Tue Feb 12 13:40:44 2002

	+++ exim-3.34/src/log.c	Tue Feb 12 14:37:56 2002

	@@ -61,6 +61,14 @@

	 if (!syslog_timestamp) s += 20;

	 len = (int)strlen(s);

	 

	+/* Added safeguard against syslog overflows -- Mixter */

	+if(len > 4096)

	+{

	+	len = 4026;

	+	memset(s+4000,0,strlen(s)-4000);

	+	strcat(s, \" WARNING: Message cut off!\");

	+}

	+

	 #ifndef NO_OPENLOG

	 if (!syslog_open)

	   {

	@@ -185,7 +193,7 @@

	 has been cycled, then open the file. The static slot for saving it is the same

	 size as buffer, and the text has been checked above to fit. */

	 

	-if (strcmp(name, \"main\") == 0) strcpy(mainlog_name, buffer);

	+if (strcmp(name, \"main\") == 0) strncpy(mainlog_name, buffer, LOG_NAME_SIZE);

	 

	 /* After a successful open, arrange for automatic closure on exec(). */

	 

	@@ -585,7 +593,7 @@

	       {

	       spaceleft = seplen + 1;

	       ptr = log_buffer + LOG_BUFFER_SIZE - spaceleft;

	-      strcpy(ptr - (int)strlen(tmsg), tmsg);

	+      strncpy(ptr - (int)strlen(tmsg), tmsg, spaceleft);

	       }

	     (void)string_format(ptr, spaceleft, separator);

	     while(*ptr) ptr++;

	diff -Nru exim-3.34/src.old/match.c exim-3.34/src/match.c

	--- exim-3.34/src.old/match.c	Tue Feb 12 13:40:45 2002

	+++ exim-3.34/src/match.c	Tue Feb 12 14:39:45 2002

	@@ -876,7 +876,7 @@

	 \"+caseful\" in the list, it restores a caseful copy from the original address.

	 */

	 

	-strcpy(address, origaddress);

	+strncpy(address, origaddress, big_buffer_size);

	 for (p = address + ((caseless || llen < 0)? 0 : llen); *p != 0; p++)

	   *p = tolower(*p);

	 

	diff -Nru exim-3.34/src.old/readconf.c exim-3.34/src/readconf.c

	--- exim-3.34/src.old/readconf.c	Tue Feb 12 13:40:45 2002

	+++ exim-3.34/src/readconf.c	Tue Feb 12 14:25:01 2002

	@@ -356,7 +356,7 @@

	     char *newbuffer;

	     big_buffer_size += BIG_BUFFER_SIZE;

	     newbuffer = store_malloc(big_buffer_size);

	-    strcpy(newbuffer, big_buffer);

	+    strncpy(newbuffer, big_buffer, big_buffer_size-1);

	     store_free(big_buffer);

	     big_buffer = newbuffer;

	     if (fgets(big_buffer+newlen, big_buffer_size-newlen, config_file) == NULL)

	@@ -440,7 +440,7 @@

	       {

	       int newsize = big_buffer_size + BIG_BUFFER_SIZE;

	       char *newbuffer = store_malloc(newsize);

	-      strcpy(newbuffer, big_buffer);

	+      strncpy(newbuffer, big_buffer, big_buffer_size-1);

	       s = newbuffer  + (s - big_buffer);

	       ss = newbuffer + (ss - big_buffer);

	       t = newbuffer  + (t - big_buffer);

	@@ -461,7 +461,7 @@

	       memmove(p + replen, pp, ss - pp + 1);

	       ss += moveby;

	       }

	-    strncpy(p, m->replacement, replen);

	+    strncpy(p, m->replacement, replen-2);

	     t = p + replen;

	     }

	   }

	@@ -2240,7 +2240,8 @@

	 

	 /* Finally, try the unadorned name */

	 

	-strcpy(big_buffer, config_filename);

	+/* Fixed overflow. 256 chars are maximally needed here. -- Mixter */

	+strncpy(big_buffer, config_filename, big_buffer_size>256?256:big_buffer_size);

	 if (config_file == NULL) config_file = fopen(big_buffer, \"r\");

	 

	 /* Failure to open the configuration file is a serious disaster. */

	@@ -2326,7 +2327,7 @@

	     m->next = NULL;

	     m->command_line = FALSE;

	     if (mlast == NULL) macros = m; else mlast->next = m;

	-    strcpy(m->name, name);

	+    strncpy(m->name, name, namelen-1); /* fixed potential overflow -- Mixter */

	     m->replacement = string_copy(s);

	     }

	 

	diff -Nru exim-3.34/src.old/tree.c exim-3.34/src/tree.c

	--- exim-3.34/src.old/tree.c	Tue Feb 12 13:40:46 2002

	+++ exim-3.34/src/tree.c	Tue Feb 12 14:30:45 2002

	@@ -32,7 +32,7 @@

	 {

	 char *p = s + (int)strlen(s);

	 while (p > s && p[-1] != \'@\') p--;

	-if (p <= s) strcpy(prepared_address, s); else

	+if (p <= s) strncpy(prepared_address, s, 512); else /* fixed potential remote overflow -- Mixter */

	   {

	   char *t = prepared_address;

	   char *pp = p - 2;

	

	--------------C2FFD0A39E3737A0A718E02C--

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH