[UNIX] Exim -C Security Vulnerability
From: support@securiteam.comDate: 02/17/02
- Previous message: support@securiteam.com: "[NT] PHP for Windows Arbitrary Files Execution (GIF, MP3)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: support@securiteam.com To: list@securiteam.com Date: Sun, 17 Feb 2002 17:21:12 +0100 (CET)
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -
Exim -C Security Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.exim.org/> Exim is a message transfer agent (MTA) developed
at the University of Cambridge for use on UNIX systems connected to the
Internet. A security vulnerability in the program has been found that
would allow local attackers to gain elevated privileges.
DETAILS
Vulnerable systems:
Exmin version 3.34 and prior
Example:
# /usr/exim/bin/exim -F `perl -e' print "A" x 32770'` -C `perl -e' print
"A" x 32768'`
Segmentation fault
#
Patch:
diff -Nru exim-3.34/src.old/accept.c exim-3.34/src/accept.c
--- exim-3.34/src.old/accept.c Tue Feb 12 13:40:44 2002
+++ exim-3.34/src/accept.c Tue Feb 12 13:47:33 2002
@@ -1506,7 +1506,7 @@
/* Save for comparing with next one */
-strcpy(last_message_id, message_id);
+strncpy(last_message_id, message_id, MESSAGE_ID_LENGTH); /* Fixed a
one-byte overflow -- Mixter */
/* Add the current message id onto the current process info string if
it will fit. */
diff -Nru exim-3.34/src.old/deliver.c exim-3.34/src/deliver.c
--- exim-3.34/src.old/deliver.c Tue Feb 12 13:40:44 2002
+++ exim-3.34/src/deliver.c Tue Feb 12 14:15:53 2002
@@ -3704,7 +3704,7 @@
the message size. */
deliver_force = forced;
-strcpy(message_id, id);
+strncpy(message_id, id, MESSAGE_ID_LENGTH);
return_count = 0;
message_size = 0;
@@ -4083,7 +4083,8 @@
slen += 3;
}
- strcpy(h->text + slen, s);
+ /* Fixed potential remote vulnerability -- Mixter */
+ strncpy(h->text + slen, s, size-slen-1);
slen += len;
}
diff -Nru exim-3.34/src.old/host.c exim-3.34/src/host.c
--- exim-3.34/src.old/host.c Tue Feb 12 13:40:44 2002
+++ exim-3.34/src/host.c Tue Feb 12 19:19:52 2002
@@ -281,7 +281,7 @@
}
sender_fullhost =
- store_malloc((int)strlen(fullhost) + (int)strlen(rcvhost) + 2);
+ store_malloc((int)strlen(fullhost) + (int)strlen(rcvhost) + 3);
sender_rcvhost = sender_fullhost + (int)strlen(fullhost) + 1;
strcpy(sender_fullhost, fullhost);
strcpy(sender_rcvhost, rcvhost);
@@ -471,7 +471,7 @@
next = store_malloc(sizeof(ip_address_item));
next->next = NULL;
- strcpy(next->address, s);
+ strncpy(next->address, s, 46);
if (yield == NULL) yield = last = next; else
{
@@ -571,7 +571,7 @@
/* If there is no buffer, put the string into some new store. */
if (buffer == NULL) return string_copy(yield);
-strcpy(buffer, yield);
+strncpy(buffer, yield, 46);
return buffer;
}
diff -Nru exim-3.34/src.old/log.c exim-3.34/src/log.c
--- exim-3.34/src.old/log.c Tue Feb 12 13:40:44 2002
+++ exim-3.34/src/log.c Tue Feb 12 14:37:56 2002
@@ -61,6 +61,14 @@
if (!syslog_timestamp) s += 20;
len = (int)strlen(s);
+/* Added safeguard against syslog overflows -- Mixter */
+if(len > 4096)
+{
+ len = 4026;
+ memset(s+4000,0,strlen(s)-4000);
+ strcat(s, " WARNING: Message cut off!");
+}
+
#ifndef NO_OPENLOG
if (!syslog_open)
{
@@ -185,7 +193,7 @@
has been cycled, then open the file. The static slot for saving it is the
same
size as buffer, and the text has been checked above to fit. */
-if (strcmp(name, "main") == 0) strcpy(mainlog_name, buffer);
+if (strcmp(name, "main") == 0) strncpy(mainlog_name, buffer,
LOG_NAME_SIZE);
/* After a successful open, arrange for automatic closure on exec(). */
@@ -585,7 +593,7 @@
{
spaceleft = seplen + 1;
ptr = log_buffer + LOG_BUFFER_SIZE - spaceleft;
- strcpy(ptr - (int)strlen(tmsg), tmsg);
+ strncpy(ptr - (int)strlen(tmsg), tmsg, spaceleft);
}
(void)string_format(ptr, spaceleft, separator);
while(*ptr) ptr++;
diff -Nru exim-3.34/src.old/match.c exim-3.34/src/match.c
--- exim-3.34/src.old/match.c Tue Feb 12 13:40:45 2002
+++ exim-3.34/src/match.c Tue Feb 12 14:39:45 2002
@@ -876,7 +876,7 @@
"+caseful" in the list, it restores a caseful copy from the original
address.
*/
-strcpy(address, origaddress);
+strncpy(address, origaddress, big_buffer_size);
for (p = address + ((caseless || llen < 0)? 0 : llen); *p != 0; p++)
*p = tolower(*p);
diff -Nru exim-3.34/src.old/readconf.c exim-3.34/src/readconf.c
--- exim-3.34/src.old/readconf.c Tue Feb 12 13:40:45 2002
+++ exim-3.34/src/readconf.c Tue Feb 12 14:25:01 2002
@@ -356,7 +356,7 @@
char *newbuffer;
big_buffer_size += BIG_BUFFER_SIZE;
newbuffer = store_malloc(big_buffer_size);
- strcpy(newbuffer, big_buffer);
+ strncpy(newbuffer, big_buffer, big_buffer_size-1);
store_free(big_buffer);
big_buffer = newbuffer;
if (fgets(big_buffer+newlen, big_buffer_size-newlen, config_file) ==
NULL)
@@ -440,7 +440,7 @@
{
int newsize = big_buffer_size + BIG_BUFFER_SIZE;
char *newbuffer = store_malloc(newsize);
- strcpy(newbuffer, big_buffer);
+ strncpy(newbuffer, big_buffer, big_buffer_size-1);
s = newbuffer + (s - big_buffer);
ss = newbuffer + (ss - big_buffer);
t = newbuffer + (t - big_buffer);
@@ -461,7 +461,7 @@
memmove(p + replen, pp, ss - pp + 1);
ss += moveby;
}
- strncpy(p, m->replacement, replen);
+ strncpy(p, m->replacement, replen-2);
t = p + replen;
}
}
@@ -2240,7 +2240,8 @@
/* Finally, try the unadorned name */
-strcpy(big_buffer, config_filename);
+/* Fixed overflow. 256 chars are maximally needed here. -- Mixter */
+strncpy(big_buffer, config_filename,
big_buffer_size>256?256:big_buffer_size);
if (config_file == NULL) config_file = fopen(big_buffer, "r");
/* Failure to open the configuration file is a serious disaster. */
@@ -2326,7 +2327,7 @@
m->next = NULL;
m->command_line = FALSE;
if (mlast == NULL) macros = m; else mlast->next = m;
- strcpy(m->name, name);
+ strncpy(m->name, name, namelen-1); /* fixed potential overflow --
Mixter */
m->replacement = string_copy(s);
}
diff -Nru exim-3.34/src.old/tree.c exim-3.34/src/tree.c
--- exim-3.34/src.old/tree.c Tue Feb 12 13:40:46 2002
+++ exim-3.34/src/tree.c Tue Feb 12 14:30:45 2002
@@ -32,7 +32,7 @@
{
char *p = s + (int)strlen(s);
while (p > s && p[-1] != '@') p--;
-if (p <= s) strcpy(prepared_address, s); else
+if (p <= s) strncpy(prepared_address, s, 512); else /* fixed potential
remote overflow -- Mixter */
{
char *t = prepared_address;
char *pp = p - 2;
ADDITIONAL INFORMATION
The information has been provided by <mailto:analyzer@2xss.com> Ehud
Tenenbaum.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: support@securiteam.com: "[NT] PHP for Windows Arbitrary Files Execution (GIF, MP3)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
