Re: [Full-Disclosure] iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability

From: Marc Haber (
Date: 01/16/05

  • Next message: "Re: [Full-Disclosure] linux or windows 2003 based wardialer"
    Date: Sun, 16 Jan 2005 14:25:28 +0100


    On Fri, Jan 14, 2005 at 12:41:05PM -0500, wrote:
    > Exim dns_buld_reverse() Buffer Overflow Vulnerability

    That would have to be dns_build_reverse

    > iDEFENSE Security Advisory 01.14.05

    That web page is only viewable with JavaScript enabled, and is thus
    unviewable with a browser configured to minimize the surfing risk. For
    a security-related organization, I consider this poor design.

    > /usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`

    That one is syntactically invalid, and neither of the obvious fixes
    does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08,
    correctly complains that it is unable to parse the parameter as an
    IPv6 address and exits with an exit code of 1. The same happens with a
    locally built 4.41 without Debian patches.

    > iDEFENSE has confirmed the existence of this vulnerability in Exim
    > versions 4.40 and 4.41. A source audit of version 4.42 suggests that it
    > is also vulnerable. It is suspected that earlier versions are also
    > vulnerable.

    According to the upstream author's advisory, released ten days before
    the date of the advisory I am replying to, 4.43 is vulnerable as well.

    > iDEFENSE is currently unaware of any effective workarounds for this
    > vulnerability.

    However, exim's author has released a patch addressing this
    vulnerability ten days before the release of the advisory stating
    there are no effective workarounds.

    So you are basically saying that the patch from Philip Hazel is

    > A patch for Exim release 4.43 which addresses this vulnerability is
    > available at:

    Is that patch an effective workaround, or is it not?

    > The patch will be incorporated into a future Exim release (4.50).

    There is also an interim release 4.44 incorporating the patch:

    I find it also interesting that the release message references two
    iDEFENSE notification messages which reference numbers have not been
    included in the final advisory as released by iDEFENSE.

    > A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
    > been assigned yet.

    CAN-2005-0021 and CAN-2005-0022 have been assigned on 2005-01-04, ten
    days before the date of the advisory stating that no CVE number has
    been assigned.

    > 09/30/2004 Initial vendor notification
    > 09/30/2004 Initial vendor response
      01/04/2005 Vendor releases a patch
      01/14/2005 Vendor releases interim release incorporating the patch
    > 01/14/2005 Public disclosure

    > IX. CREDIT
    > The discoverer of this vulnerability wishes to remain anonymous.

    I can fully understand that. The entire advisory seems to be _very_
    sloppily prepared, or to have been unduly delayed and passed by
    reality before it was finally released.

    If this advisory addresses CAN-2005-0021 and/or CAN-2005-0022, it
    should not have been released in the first place. If it addresses a
    new vulnerability, it should be more clear in that regard. And it
    should include code that actually allows to reproduce the vulnerability.

    Just for the record:
    The following package versions of exim and exim4 in Debian/GNU Linux
    fix the vulnerabilities listed in CAN-2005-0021 and CAN-2005-0022:

    exim4 4.43-2 experimental
    exim4 4.34-10 unstable, testing
    exim 3.36-13 unstable, testing
    exim 3.35-1woody4 stable
    exim-tls 3.35-3woody3 stable


    Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
    Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
    Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
    Full-Disclosure - We believe in it.

  • Next message: "Re: [Full-Disclosure] linux or windows 2003 based wardialer"

    Relevant Pages

    • [TKADV2008-015] Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL pointer dereference
      ... Please find attached a detailed advisory of the vulnerability. ... Solaris 10 without patch 138888-01 ...
    • Re: Download.ject - commentary - LONG
      ... > patch recently released by Microsoft. ... > vulnerability in question, but instead is just a partial workaround. ... > Granted these are known security best practices related to Internet ... > a new default browser to users and hope that it will be safe enough. ...
    • Vulnerability Details for MS02-012
      ... Microsoft released a patch for a denial of service ... vulnerability in the Windows 2000 SMTP component. ... This bug affects all Windows 2000 systems running the SMTP service that have ...
    • Microsoft Security Bulletin MS01-044
      ... Subject: Microsoft Security Bulletin MS01-044 ... 15 August 2001 Cumulative Patch for IIS ... - A denial of service vulnerability that could enable an attacker ...
    • [NT] 15 August 2001 Cumulative Patch for IIS
      ... Microsoft has released an important patch for IIS administrators. ... * A denial of service vulnerability that could enable an attacker to ...