Re: [Full-Disclosure] iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability

From: Marc Haber (mh+full-disclosure_at_zugschlus.de)
Date: 01/16/05

  • Next message: dcdave_at_att.net: "Re: [Full-Disclosure] linux or windows 2003 based wardialer"
    Date: Sun, 16 Jan 2005 14:25:28 +0100
    To: customerservice@idefense.com
    
    

    Hi,

    On Fri, Jan 14, 2005 at 12:41:05PM -0500, idlabs-advisories@idefense.com wrote:
    > Exim dns_buld_reverse() Buffer Overflow Vulnerability

    That would have to be dns_build_reverse

    > iDEFENSE Security Advisory 01.14.05
    > www.idefense.com/application/poi/display?id=183&type=vulnerabilities

    That web page is only viewable with JavaScript enabled, and is thus
    unviewable with a browser configured to minimize the surfing risk. For
    a security-related organization, I consider this poor design.

    > /usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`

    That one is syntactically invalid, and neither of the obvious fixes
    does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08,
    correctly complains that it is unable to parse the parameter as an
    IPv6 address and exits with an exit code of 1. The same happens with a
    locally built 4.41 without Debian patches.

    > iDEFENSE has confirmed the existence of this vulnerability in Exim
    > versions 4.40 and 4.41. A source audit of version 4.42 suggests that it
    > is also vulnerable. It is suspected that earlier versions are also
    > vulnerable.

    According to the upstream author's advisory, released ten days before
    the date of the advisory I am replying to, 4.43 is vulnerable as well.

    > V. WORKAROUND
    >
    > iDEFENSE is currently unaware of any effective workarounds for this
    > vulnerability.

    However, exim's author has released a patch addressing this
    vulnerability ten days before the release of the advisory stating
    there are no effective workarounds.

    So you are basically saying that the patch from Philip Hazel is
    uneffective?

    > VI. VENDOR RESPONSE
    >
    > A patch for Exim release 4.43 which addresses this vulnerability is
    > available at:
    >
    > http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html

    Is that patch an effective workaround, or is it not?

    > The patch will be incorporated into a future Exim release (4.50).

    There is also an interim release 4.44 incorporating the patch:

    http://www.exim.org/mail-archives/exim-announce/2005/msg00001.html

    I find it also interesting that the release message references two
    iDEFENSE notification messages which reference numbers have not been
    included in the final advisory as released by iDEFENSE.

    > > VII. CVE INFORMATION
    >
    > A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
    > been assigned yet.

    CAN-2005-0021 and CAN-2005-0022 have been assigned on 2005-01-04, ten
    days before the date of the advisory stating that no CVE number has
    been assigned.

    > VIII. DISCLOSURE TIMELINE
    >
    > 09/30/2004 Initial vendor notification
    > 09/30/2004 Initial vendor response
      01/04/2005 Vendor releases a patch
      01/14/2005 Vendor releases interim release incorporating the patch
    > 01/14/2005 Public disclosure

    > IX. CREDIT
    >
    > The discoverer of this vulnerability wishes to remain anonymous.

    I can fully understand that. The entire advisory seems to be _very_
    sloppily prepared, or to have been unduly delayed and passed by
    reality before it was finally released.

    If this advisory addresses CAN-2005-0021 and/or CAN-2005-0022, it
    should not have been released in the first place. If it addresses a
    new vulnerability, it should be more clear in that regard. And it
    should include code that actually allows to reproduce the vulnerability.

    Just for the record:
    The following package versions of exim and exim4 in Debian/GNU Linux
    fix the vulnerabilities listed in CAN-2005-0021 and CAN-2005-0022:

    exim4 4.43-2 experimental
    exim4 4.34-10 unstable, testing
    exim 3.36-13 unstable, testing
    exim 3.35-1woody4 stable
    exim-tls 3.35-3woody3 stable

    Greetings
    Marc

    -- 
    -----------------------------------------------------------------------------
    Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
    Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
    Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: dcdave_at_att.net: "Re: [Full-Disclosure] linux or windows 2003 based wardialer"

    Relevant Pages

    • [TKADV2008-015] Sun Solaris SIOCGTUNPARAM IOCTL Kernel NULL pointer dereference
      ... Please find attached a detailed advisory of the vulnerability. ... Solaris 10 without patch 138888-01 ...
      (Bugtraq)
    • Re: Download.ject - commentary - LONG
      ... > patch recently released by Microsoft. ... > vulnerability in question, but instead is just a partial workaround. ... > Granted these are known security best practices related to Internet ... > a new default browser to users and hope that it will be safe enough. ...
      (microsoft.public.win2000.security)
    • Vulnerability Details for MS02-012
      ... Microsoft released a patch for a denial of service ... vulnerability in the Windows 2000 SMTP component. ... This bug affects all Windows 2000 systems running the SMTP service that have ...
      (Bugtraq)
    • Microsoft Security Bulletin MS01-044
      ... Subject: Microsoft Security Bulletin MS01-044 ... 15 August 2001 Cumulative Patch for IIS ... - A denial of service vulnerability that could enable an attacker ...
      (Bugtraq)
    • [NT] 15 August 2001 Cumulative Patch for IIS
      ... Microsoft has released an important patch for IIS administrators. ... * A denial of service vulnerability that could enable an attacker to ...
      (Securiteam)