[UNIX] Exim Recipient Decoding Execution
From: support@securiteam.comDate: 12/20/01
- Previous message: support@securiteam.com: "[TOOL] FWAnalog, Firewall Log File Reporting Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Thu, 20 Dec 2001 17:41:26 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Exim Recipient Decoding Execution
------------------------------------------------------------------------
SUMMARY
A security vulnerability in Exim allows remote attackers to cause the Exim
to run commands that were encoded in the address of the local recipient.
DETAILS
Immune systems:
Exim versions prior to 3.34 (Note two version branches)
Exim versions prior to 3.952 (Note two version branches)
The problem exists only in the case of a run time configuration that
directs or routes an address to a pipe transport without checking the
local part of the address in any way. This does not apply, for example, to
pipes run from alias or forward files because the local part is checked to
ensure that it is the name of an alias or of a local user.
One kind of configuration where this may apply is one where all incoming
mail is sent straight to a virus checker by means of a pipe, without
inspecting the local parts of addresses. However, if receiver_verify is
turned on, and the director/router that is used for the pipe has no_verify
set, there may not be an exposure, because the local parts are probably
checked by the verification process even though they are not checked at
delivery time before being sent to the pipe.
The bug is provoked by routing/directing an address whose local part
begins with a pipe symbol (vertical bar) to a pipe transport. That is why
any configuration in which local parts are first checked in some way is
not normally vulnerable (a local part starting with a pipe symbol is
normally invalid). The Exim 4 default configuration blocks local parts
that contain any of the characters @%!/| at SMTP time, as it happens.
The bug's effect is that, instead of obeying the correct pipe command, a
broken Exim runs the command encoded in the local part.
If you do not want to upgrade to Exim 3.34, here are two patches for
earlier versions. The fix is very simple.
Patch:
----------------------------------------------------------------------------
This patch is for version 3.33. It should also work on all previous
versions back to 3.20.
*** exim-3.33/src/transports/pipe.c Wed Aug 15 12:09:13 2001
--- transports/pipe.c Thu Dec 13 10:25:21 2001
***************
*** 487,493 ****
pointed to by addr->local_part; it starts with the pipe symbol. In other
cases,
the command is supplied as one of the pipe transport's options. */
! if (addr->local_part[0] == '|')
{
cmd = addr->local_part + 1;
while (isspace((uschar)*cmd)) cmd++;
--- 487,493 ----
pointed to by addr->local_part; it starts with the pipe symbol. In other
cases,
the command is supplied as one of the pipe transport's options. */
! if (testflag(addr,af_pfr) && addr->local_part[0] == '|')
{
cmd = addr->local_part + 1;
while (isspace((uschar)*cmd)) cmd++;
----------------------------------------------------------------------------
----------------------------------------------------------------------------
This patch is for versions before 3.20. It should work at least as far
back as release 3.12 (which was release on December 8, 1999). It may work
on earlier releases - if not, it is such a simple patch that you should be
able to figure out what to change by hand.
*** src/transports/pipe.c Wed Aug 15 12:09:13 2001
--- transports/pipe.c Thu Dec 13 10:25:21 2001
***************
*** 487,493 ****
pointed to by addr->local_part; it starts with the pipe symbol. In other
cases,
the command is supplied as one of the pipe transport's options. */
! if (addr->local_part[0] == '|')
{
cmd = addr->local_part + 1;
while (isspace((uschar)*cmd)) cmd++;
--- 487,493 ----
pointed to by addr->local_part; it starts with the pipe symbol. In other
cases,
the command is supplied as one of the pipe transport's options. */
! if (addr->pfr && addr->local_part[0] == '|')
{
cmd = addr->local_part + 1;
while (isspace((uschar)*cmd)) cmd++;
----------------------------------------------------------------------------
ADDITIONAL INFORMATION
The information has been provided by <mailto:twells@fsckit.net> Tabor J.
Wells and <mailto:ph10@cus.cam.ac.uk> Philip Hazel.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[TOOL] FWAnalog, Firewall Log File Reporting Tool"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
