Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 348249 (CVE-2010-4344) - <mail-mta/exim-4.74-r1: (possible) remote root vulnerability (CVE-2010-{4344,4345})
Summary: <mail-mta/exim-4.74-r1: (possible) remote root vulnerability (CVE-2010-{4344,...
Status: RESOLVED FIXED
Alias: CVE-2010-4344
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Highest blocker (vote)
Assignee: Gentoo Security
URL: http://www.exim.org/lurker/message/20...
Whiteboard: A0 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-12-09 10:43 UTC by Tobias Klausmann
Modified: 2014-01-27 12:37 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tobias Klausmann gentoo-dev 2010-12-09 10:43:26 UTC
Quote:

"While investigating security break in the network of my company, I've
captured (by tcpdump) sequence of successful remote root attack through
Exim. It was Exim from Debian Lenny (exim4-daemon-light 4.69-9). I
didn't find email of current maintainer of Exim, so I've decided to
write to this mailing lists. I don't want to publish all details of
attack before developers can investigate and fix vulnerability."

I haven't reproduced the buffer overflow since there is not actual info about it, but the local privilege escalation definitely works.

Later in the thread, one of the Exim devs recommends assorted mitigation strategies:

http://www.exim.org/lurker/message/20101209.022730.dbb6732d.en.html

For my own machine, I've gone for the ALT_CONFIG_ROOT_ONLY=yes approach (one addendum to the ebuild and a recompile). This does not fix the (apparent) buffer overflow, but the escalation from UID mail to UID 0.
Comment 1 Fabian Groffen gentoo-dev 2010-12-09 11:08:16 UTC
I'm not in a position where I can fix the ebuild right now, but if you just need to add this define, you have my permissions to add it, and bump if necessary.
Comment 2 Tobias Klausmann gentoo-dev 2010-12-09 12:06:02 UTC
I've committed 4.72-r1 (which is stable on all supported archs) with a fix.
Comment 3 Tim Sammut (RETIRED) gentoo-dev 2010-12-10 07:31:57 UTC
From the last (public) comment from the upstream, it appears that they are working on it:

http://www.exim.org/lurker/message/20101209.150448.ee9f5ce6.en.html#exim-dev
Comment 4 Gerrit Helm 2010-12-10 12:23:08 UTC
This was fixed in 4.70, but got no big attention until now:

http://www.exim.org/lurker/message/20101210.083335.f3d05cab.en.html

Can someone please create a GLSA for this, as I dont know how to do that!? =)


Comment 5 Tobias Klausmann gentoo-dev 2010-12-10 19:32:28 UTC
Independent of this issue I think we should keep my fix in - or its slightly different "only known prefixes" variant. I'm not quite sure which one would be less disruptive if you actually run exim -C as a normal user regularly.
Comment 6 Thorsten Meinl 2010-12-12 15:58:14 UTC
The fix in 4.72-r1 breaks existing installations where exim is run with non-default configuration file name. Upon starting the daemon it drops root privileges. When it spawns e.g. a queue runner it launches exim with "-C /etc/exim/something.conf". The ALT_PREFIX_ROOT_ONLY option causes the queue runner to drop root privileges immediately (since it was forked from a non-root process) and therefore it cannot deliver mails into user directories any more.
A - in my eyes - much better option is to set ALT_CONFIG_PREFIX to /etc/exim. Non-root users are not allowed to write there and even more complicated setups (such as ours) are still using this directory for different config files.
Comment 7 Tobias Klausmann gentoo-dev 2010-12-12 16:09:08 UTC
(In reply to comment #6)
> A - in my eyes - much better option is to set ALT_CONFIG_PREFIX to /etc/exim.
> Non-root users are not allowed to write there and even more complicated setups
> (such as ours) are still using this directory for different config files.

As I said: I'm on the fence on the issue since both solutions work for me. That said, we should /definitely/ implement one of them. I'd leave it to the GEntoo exim maintainers to decide, unless this is causing massive breakage.

The buffer overflow itself has been fixed ages ago upstream, so one could always fall back to 4.72-r0 for now.
Comment 8 Fabian Groffen gentoo-dev 2011-05-08 09:35:46 UTC
version 4.70 and lower have been removed from the tree at Dec 11, 2010.

@security please close this bug
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2011-10-08 13:43:30 UTC
CVE-2010-4345 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4345):
  Exim 4.72 and earlier allows local users to gain privileges by leveraging
  the ability of the exim user account to specify an alternate configuration
  file with a directive that contains arbitrary commands, as demonstrated by
  the spool_directory directive.

CVE-2010-4344 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-4344):
  Heap-based buffer overflow in the string_vformat function in string.c in
  Exim before 4.70 allows remote attackers to execute arbitrary code via an
  SMTP session that includes two MAIL commands in conjunction with a large
  message containing crafted headers, leading to improper rejection logging.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-01-27 12:37:05 UTC
This issue was resolved and addressed in
 GLSA 201401-32 at http://security.gentoo.org/glsa/glsa-201401-32.xml
by GLSA coordinator Mikle Kolyada (Zlogene).