Info

Disclosure

Dec 07, 2010

Discovery

Unknown

Dates

Exploit

Dec 10, 2010

Solution

Dec 09, 2010

Description

Exim is prone to a remote overflow condition. The string_format function fails to properly sanitize user-supplied input resulting in a heap buffer overflow. With a specially crafted request, a local attacker can potentially cause arbitrary code execution.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Solution: Patch / RCS
Exploit: Exploit Public, Exploit Commercial
Disclosure: Vendor Verified

Solution

Currently, there are no known workarounds or upgrades to correct this issue. However, Exim Development Team has released a patch to address this vulnerability.

Products

Exim

4.69

References

Exploit Database: 15725
CVE ID: 2010-4344 (see also: NVD)
Secunia Advisory ID: 40019 42576 42586 42587 42589 42625
Metasploit ID: 69685
Vendor Specific News/Changelog Entry: ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.70 http://bugs.exim.org/show_bug.cgi?id=787
http://git.exim.org/exim.git/commitdiff/24c929a27415c7cfc7126c47e4cad39acf3efa6b
http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.html
https://bugzilla.redhat.com/show_bug.cgi?id=661756
Vendor Specific Advisory URL: http://lists.debian.org/debian-security-announce/2010/msg00181.html
https://rhn.redhat.com/errata/RHSA-2010-0970.html
Other Advisory URL: http://openwall.com/lists/oss-security/2010/12/10/1
http://www.cpanel.net/2010/12/critical-exim-security-update.html
http://www.cpanel.net/2010/12/exim-remote-memory-corruption-vulnerability-notification-cve-2010-4344.html
http://www.debian.org/security/2010/dsa-2131
http://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_format
http://www.ubuntu.com/usn/usn-1032-1
Mail List Post: http://seclists.org/oss-sec/2010/q4/311
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
http://www.exim.org/lurker/message/20101210.164935.385e04d0.en.html
http://www.gossamer-threads.com/lists/exim/dev/89477
News Article: http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/
RedHat RHSA: https://rhn.redhat.com/errata/RHSA-2010-0970.html

Credit

Unknown or Incomplete

Direct URL: http://osvdb.org/69685