Saw it yesterday and sure enough, it crashes my Exim with a segfault. I
run Exim on Debian 2.2 with no modifications.
-A. Dave
xbud wrote:
>Not sure if this made to this list.
>
>I haven't confirmed the following, but thought it was worth forwarding.
>
>-xbud
>
>---------- Forwarded Message ----------
>
>Subject: Exim 3.34 and lower (fwd)
>Date: Wed, 13 Feb 2002 11:19:49 -0700 (MST)
>From: Dave Ahmad <[EMAIL PROTECTED]>
>To: [EMAIL PROTECTED]
>
>Moderator note:
>
>I have not had the time to look at the Exim source to verify that these
>exist and that the attached fix is not broken.
>
>Dave Ahmad
>SecurityFocus
>www.securityfocus.com
>
>---------- Forwarded message ----------
>Return-Path: <[EMAIL PROTECTED]>
>Delivered-To: moderator for [EMAIL PROTECTED]
>Received: (qmail 32260 invoked from network); 13 Feb 2002 08:49:23 -0000
>Received: from mail.securityfocus.com (HELO securityfocus.com) (66.38.151.9)
> by lists.securityfocus.com with SMTP; 13 Feb 2002 08:49:23 -0000
>Received: (qmail 20929 invoked by alias); 13 Feb 2002 08:50:32 -0000
>Received: (qmail 20925 invoked from network); 13 Feb 2002 08:50:31 -0000
>Received: from unknown (HELO 2xs.co.il) (212.68.128.50)
> by mail.securityfocus.com with SMTP; 13 Feb 2002 08:50:31 -0000
>Received: from security.2xss.com
> ([212.68.128.10] helo=2xss.com ident=root)
> by 2xs.co.il with esmtp
> id 16avBe-0003GM-00
> for [EMAIL PROTECTED]; Wed, 13 Feb 2002 10:54:46 +0200
>Sender: [EMAIL PROTECTED]
>Message-ID: <[EMAIL PROTECTED]>
>Date: Wed, 13 Feb 2002 10:44:02 +0200
>From: Ehud Tenenbaum <[EMAIL PROTECTED]>
>Organization: 2xs LTD.
>X-Mailer: Mozilla 4.76 [en] (X11; U; Linux 2.4.16-pre1 i686)
>X-Accept-Language: en
>MIME-Version: 1.0
>To: [EMAIL PROTECTED]
>Subject: Exim 3.34 and lower
>Content-Type: multipart/mixed;
> boundary="------------C2FFD0A39E3737A0A718E02C"
>
>Hey,
>
>Its a good time to announce that 2xs security LTD. decided to
>create a research team in order to focus on finding new bugs,
>further more we managed to develop a security tool to discover
>bugs/security flaws. In the near future, the tool itself will became
>an open source project.
>
>Its looks like there is few insecure/lame programming in exim mail
>server up to current version.
>
>first lets take a look at the file:
>[2xs:root:~] ls -la /usr/exim/bin/exim
>-rws--x--x 1 root root 2061186 Oct 23 12:56
>/usr/exim/bin/exim*
>[2xs:root:~]
>
>Suid goodie.
>
>[2xs:w00p:/root] id
>uid=1001(w00p) gid=100(users) groups=100(users)
>[2xs:w00p:/root] /usr/exim/bin/exim -F `perl -e' print "A" x 32770'` -C
>`perl -e' print "A" x 32768'`
>Segmentation fault
>[2xs:w00p:/root]
>
>Many other argument should work as well (as long there is -C among them)
>
>[2xs:root:~] gdb /usr/exim/bin/exim
>GNU gdb 5.0
>Copyright 2000 Free Software Foundation, Inc.
>GDB is free software, covered by the GNU General Public License, and you
>are
>welcome to change it and/or distribute copies of it under certain
>conditions.
>Type "show copying" to see the conditions.
>There is absolutely no warranty for GDB. Type "show warranty" for
>details.
>This GDB was configured as "i386-slackware-linux"...
>(gdb) r -F `perl -e' print "A" x 32770'` -C `perl -e' print "A" x
>32768'`
>Starting program: /usr/exim/bin/exim -F `perl -e' print "A" x 32770'` -C
>`perl -e' print "A" x
>32768'`
>
>Program received signal SIGSEGV, Segmentation fault.
>strcpy (dest=0x820e208 'A' <repeats 200 times>..., src=0xbfff7b48 'A'
><repeats 200 times>...)
> at ../sysdeps/generic/strcpy.c:40
>40 ../sysdeps/generic/strcpy.c: No such file or directory.
>(gdb) info registers
>eax 0x48216641 1210148417
>ecx 0x482166bf 1210148543
>edx 0xbfffa941 -1073764031
>ebx 0xbffef8d4 -1073809196
>esp 0xbffeeefc 0xbffeeefc
>ebp 0xbffeef00 0xbffeef00
>esi 0x820e208 136372744
>edi 0x3 3
>eip 0x401690e4 0x401690e4
>eflags 0x10286 66182
>cs 0x23 35
>ss 0x2b 43
>ds 0x2b 43
>es 0x2b 43
>fs 0x0 0
>gs 0x0 0
>fctrl 0x37f 895
>fstat 0x0 0
>ftag 0xffff 65535
>fiseg 0x23 35
>fioff 0x4009ca84 1074383492
>foseg 0x2b 43
>fooff 0x400fa440 1074766912
>fop 0x49b 1179
>
>after short debugging we found that there is no overflow since the
>eip register coredumped in the code segment and not in the data segment,
>yet we believe that there might be a way to exploit this bug with
>log_write(), we are not going to deliver a working exploit until the
>vendor
>will research and fix this bug.
>
>We provide a patch to version 3.34 that should solve this bug.
>
>In version 3.21 and lower there is another small bug with -t flag
>again non exploitable just bad programming.
>
>This bug was found by The Analyzer, Izik and Mixter. 2xs security
>research team.
>
>should anyone have questions or comments you can email us:
>
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>[EMAIL PROTECTED]
>
>--
>------------
>Ehud Tenenbaum
>C.T.O & Project Manager
>2xs LTD.
>Tel: 972-9-9519980
>Fax: 972-9-9519982
>E-Mail: [EMAIL PROTECTED]
>------------
> Have A Safe Day
>
>-------------------------------------------------------
>
>
>
>------------------------------------------------------------------------
>
>diff -Nru exim-3.34/src.old/accept.c exim-3.34/src/accept.c
>--- exim-3.34/src.old/accept.c Tue Feb 12 13:40:44 2002
>+++ exim-3.34/src/accept.c Tue Feb 12 13:47:33 2002
>@@ -1506,7 +1506,7 @@
>
> /* Save for comparing with next one */
>
>-strcpy(last_message_id, message_id);
>+strncpy(last_message_id, message_id, MESSAGE_ID_LENGTH); /* Fixed a one-byte
>overflow -- Mixter */
>
> /* Add the current message id onto the current process info string if
> it will fit. */
>diff -Nru exim-3.34/src.old/deliver.c exim-3.34/src/deliver.c
>--- exim-3.34/src.old/deliver.c Tue Feb 12 13:40:44 2002
>+++ exim-3.34/src/deliver.c Tue Feb 12 14:15:53 2002
>@@ -3704,7 +3704,7 @@
> the message size. */
>
> deliver_force = forced;
>-strcpy(message_id, id);
>+strncpy(message_id, id, MESSAGE_ID_LENGTH);
> return_count = 0;
> message_size = 0;
>
>@@ -4083,7 +4083,8 @@
> slen += 3;
> }
>
>- strcpy(h->text + slen, s);
>+ /* Fixed potential remote vulnerability -- Mixter */
>+ strncpy(h->text + slen, s, size-slen-1);
> slen += len;
> }
>
>diff -Nru exim-3.34/src.old/host.c exim-3.34/src/host.c
>--- exim-3.34/src.old/host.c Tue Feb 12 13:40:44 2002
>+++ exim-3.34/src/host.c Tue Feb 12 19:19:52 2002
>@@ -281,7 +281,7 @@
> }
>
> sender_fullhost =
>- store_malloc((int)strlen(fullhost) + (int)strlen(rcvhost) + 2);
>+ store_malloc((int)strlen(fullhost) + (int)strlen(rcvhost) + 3);
> sender_rcvhost = sender_fullhost + (int)strlen(fullhost) + 1;
> strcpy(sender_fullhost, fullhost);
> strcpy(sender_rcvhost, rcvhost);
>@@ -471,7 +471,7 @@
>
> next = store_malloc(sizeof(ip_address_item));
> next->next = NULL;
>- strcpy(next->address, s);
>+ strncpy(next->address, s, 46);
>
> if (yield == NULL) yield = last = next; else
> {
>@@ -571,7 +571,7 @@
> /* If there is no buffer, put the string into some new store. */
>
> if (buffer == NULL) return string_copy(yield);
>-strcpy(buffer, yield);
>+strncpy(buffer, yield, 46);
> return buffer;
> }
>
>diff -Nru exim-3.34/src.old/log.c exim-3.34/src/log.c
>--- exim-3.34/src.old/log.c Tue Feb 12 13:40:44 2002
>+++ exim-3.34/src/log.c Tue Feb 12 14:37:56 2002
>@@ -61,6 +61,14 @@
> if (!syslog_timestamp) s += 20;
> len = (int)strlen(s);
>
>+/* Added safeguard against syslog overflows -- Mixter */
>+if(len > 4096)
>+{
>+ len = 4026;
>+ memset(s+4000,0,strlen(s)-4000);
>+ strcat(s, " WARNING: Message cut off!");
>+}
>+
> #ifndef NO_OPENLOG
> if (!syslog_open)
> {
>@@ -185,7 +193,7 @@
> has been cycled, then open the file. The static slot for saving it is the same
> size as buffer, and the text has been checked above to fit. */
>
>-if (strcmp(name, "main") == 0) strcpy(mainlog_name, buffer);
>+if (strcmp(name, "main") == 0) strncpy(mainlog_name, buffer, LOG_NAME_SIZE);
>
> /* After a successful open, arrange for automatic closure on exec(). */
>
>@@ -585,7 +593,7 @@
> {
> spaceleft = seplen + 1;
> ptr = log_buffer + LOG_BUFFER_SIZE - spaceleft;
>- strcpy(ptr - (int)strlen(tmsg), tmsg);
>+ strncpy(ptr - (int)strlen(tmsg), tmsg, spaceleft);
> }
> (void)string_format(ptr, spaceleft, separator);
> while(*ptr) ptr++;
>diff -Nru exim-3.34/src.old/match.c exim-3.34/src/match.c
>--- exim-3.34/src.old/match.c Tue Feb 12 13:40:45 2002
>+++ exim-3.34/src/match.c Tue Feb 12 14:39:45 2002
>@@ -876,7 +876,7 @@
> "+caseful" in the list, it restores a caseful copy from the original address.
> */
>
>-strcpy(address, origaddress);
>+strncpy(address, origaddress, big_buffer_size);
> for (p = address + ((caseless || llen < 0)? 0 : llen); *p != 0; p++)
> *p = tolower(*p);
>
>diff -Nru exim-3.34/src.old/readconf.c exim-3.34/src/readconf.c
>--- exim-3.34/src.old/readconf.c Tue Feb 12 13:40:45 2002
>+++ exim-3.34/src/readconf.c Tue Feb 12 14:25:01 2002
>@@ -356,7 +356,7 @@
> char *newbuffer;
> big_buffer_size += BIG_BUFFER_SIZE;
> newbuffer = store_malloc(big_buffer_size);
>- strcpy(newbuffer, big_buffer);
>+ strncpy(newbuffer, big_buffer, big_buffer_size-1);
> store_free(big_buffer);
> big_buffer = newbuffer;
> if (fgets(big_buffer+newlen, big_buffer_size-newlen, config_file) == NULL)
>@@ -440,7 +440,7 @@
> {
> int newsize = big_buffer_size + BIG_BUFFER_SIZE;
> char *newbuffer = store_malloc(newsize);
>- strcpy(newbuffer, big_buffer);
>+ strncpy(newbuffer, big_buffer, big_buffer_size-1);
> s = newbuffer + (s - big_buffer);
> ss = newbuffer + (ss - big_buffer);
> t = newbuffer + (t - big_buffer);
>@@ -461,7 +461,7 @@
> memmove(p + replen, pp, ss - pp + 1);
> ss += moveby;
> }
>- strncpy(p, m->replacement, replen);
>+ strncpy(p, m->replacement, replen-2);
> t = p + replen;
> }
> }
>@@ -2240,7 +2240,8 @@
>
> /* Finally, try the unadorned name */
>
>-strcpy(big_buffer, config_filename);
>+/* Fixed overflow. 256 chars are maximally needed here. -- Mixter */
>+strncpy(big_buffer, config_filename, big_buffer_size>256?256:big_buffer_size);
> if (config_file == NULL) config_file = fopen(big_buffer, "r");
>
> /* Failure to open the configuration file is a serious disaster. */
>@@ -2326,7 +2327,7 @@
> m->next = NULL;
> m->command_line = FALSE;
> if (mlast == NULL) macros = m; else mlast->next = m;
>- strcpy(m->name, name);
>+ strncpy(m->name, name, namelen-1); /* fixed potential overflow -- Mixter */
> m->replacement = string_copy(s);
> }
>
>diff -Nru exim-3.34/src.old/tree.c exim-3.34/src/tree.c
>--- exim-3.34/src.old/tree.c Tue Feb 12 13:40:46 2002
>+++ exim-3.34/src/tree.c Tue Feb 12 14:30:45 2002
>@@ -32,7 +32,7 @@
> {
> char *p = s + (int)strlen(s);
> while (p > s && p[-1] != '@') p--;
>-if (p <= s) strcpy(prepared_address, s); else
>+if (p <= s) strncpy(prepared_address, s, 512); else /* fixed potential remote
>overflow -- Mixter */
> {
> char *t = prepared_address;
> char *pp = p - 2;
>
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
