Home page logo

bugtraq logo Bugtraq mailing list archives

lil' exim format bug
From: Megyer Laszlo <lez () sch bme hu>
Date: Wed, 6 Jun 2001 14:03:25 +0200

Hi BugTrackers

Just a little bug to tell:


accept.c, line 2506:
        else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);

while moan_smtp_batch is like this:
        moan_smtp_batch(char *cmd_buffer, char *format, ...)

So when smtp_reply contains format strings, it get transformed by

Why I said that it's a little bug?

This piece of code is only executed when exim is configured to check incoming mails' headers:
/etc/exim.conf should have an option set:

By default it's turned OFF.
only few ppl turn it on.

So it's NOT vulnerable BY DEFAULT.


Try this:
lez:~$ /usr/sbin/exim -bS
mail from:lez () lez
rcpt to:hax0r () lez


Somewhere in the answers you should see:
550 Syntax error in 'From' header: domain missing or malformed: failing address is: 

If you change %p's to %s's, you get segfault. With carefully constructed thing, it's easy to overwrite saved eip with 
%n's, and get root out of this bug.

No exploit yet, but after the many local format bug exploits it's not a big work to write one for a skilled man.
Megyer Laszlo (Lez)
lez () sch bme hu

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]