Dňa 6. októbra 2023 16:24:27 UTC používateľ Andreas Metzler via Exim-users <exim-users@lists.exim.org> napísal: >On 2023-10-06 Slavko via Exim-users <exim-users@lists.exim.org> wrote: >[...] >> hmm, i still cannot get how "network adjacent" is related to root >> privileges. But my head never was good for attacks... > >Hello, >Afaiui the attack will require special DNS packets that would not be >sent out by a real recursive resolver. i.e. the attacker needs to change >these packets directly by being in between the resolver and the machine >hosting exim.
Thanks, just to confirm (or summarize): + if resolver is in public net (eg. 1.1.1.1) the attacker can be relative anyone + if resolver is in LAN (remote host) attacker have to be somewhere inside LAN + if resolver is on the same host, attacker have to be root As addition, the resolver must validate received RR (which is not the case eg. of dnsmasq). If it doesn't do that, attacker can exploit it by sending crafted response from its (real) DNS server and again can be relative anyone. Right? (by "relative anyone" i mean mostly, that he must know how) IMO, if attacker already has root access, he can do many more than intercept DNS response. Or more precise, it doesn't need to do that, as he usually can do (near) anything on that host... BTW, when we cannot be sure, which resolvers are trusted, we have to start to list the resolvers, which are know as not trusted (in mean of this issue). >Until now the discussion there sadly only explains why 3 out of 6 >possible issues are still unresolved or not really understood. The >person (?) sending mails from ZDI does not answer any questions but >sends out unrelated canned responses. :-( Yes, i read that. It is really suspicious, as it seems as they cannot provide exploit. And if that is true, we have repeat that anywhere, until they revert particular 0day issue(s). I asked that summary, just to we (exim users) will be informed about progress, as not all are subscribed to both. IMO, that thread should be CC here... regards -- Slavko https://www.slavino.sk/ -- ## subscription configuration (requires account): ## https://lists.exim.org/mailman3/postorius/lists/exim-users.lists.exim.org/ ## unsubscribe (doesn't require an account): ## exim-users-unsubscr...@lists.exim.org ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://wiki.exim.org/
