Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability
From: Marc Haber <mh+full-disclosure () zugschlus de>
Date: Sun, 16 Jan 2005 14:25:28 +0100
Hi, On Fri, Jan 14, 2005 at 12:41:05PM -0500, idlabs-advisories () idefense com wrote:
Exim dns_buld_reverse() Buffer Overflow Vulnerability
That would have to be dns_build_reverse
iDEFENSE Security Advisory 01.14.05 www.idefense.com/application/poi/display?id=183&type=vulnerabilities
That web page is only viewable with JavaScript enabled, and is thus unviewable with a browser configured to minimize the surfing risk. For a security-related organization, I consider this poor design.
/usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`
That one is syntactically invalid, and neither of the obvious fixes does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08, correctly complains that it is unable to parse the parameter as an IPv6 address and exits with an exit code of 1. The same happens with a locally built 4.41 without Debian patches.
iDEFENSE has confirmed the existence of this vulnerability in Exim versions 4.40 and 4.41. A source audit of version 4.42 suggests that it is also vulnerable. It is suspected that earlier versions are also vulnerable.
According to the upstream author's advisory, released ten days before the date of the advisory I am replying to, 4.43 is vulnerable as well.
V. WORKAROUND iDEFENSE is currently unaware of any effective workarounds for this vulnerability.
However, exim's author has released a patch addressing this vulnerability ten days before the release of the advisory stating there are no effective workarounds. So you are basically saying that the patch from Philip Hazel is uneffective?
VI. VENDOR RESPONSE A patch for Exim release 4.43 which addresses this vulnerability is available at: http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html
Is that patch an effective workaround, or is it not?
The patch will be incorporated into a future Exim release (4.50).
There is also an interim release 4.44 incorporating the patch: http://www.exim.org/mail-archives/exim-announce/2005/msg00001.html I find it also interesting that the release message references two iDEFENSE notification messages which reference numbers have not been included in the final advisory as released by iDEFENSE.
VII. CVE INFORMATIONA Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not been assigned yet.
CAN-2005-0021 and CAN-2005-0022 have been assigned on 2005-01-04, ten days before the date of the advisory stating that no CVE number has been assigned.
VIII. DISCLOSURE TIMELINE 09/30/2004 Initial vendor notification 09/30/2004 Initial vendor response
01/04/2005 Vendor releases a patch 01/14/2005 Vendor releases interim release incorporating the patch
01/14/2005 Public disclosure
IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous.
I can fully understand that. The entire advisory seems to be _very_ sloppily prepared, or to have been unduly delayed and passed by reality before it was finally released. If this advisory addresses CAN-2005-0021 and/or CAN-2005-0022, it should not have been released in the first place. If it addresses a new vulnerability, it should be more clear in that regard. And it should include code that actually allows to reproduce the vulnerability. Just for the record: The following package versions of exim and exim4 in Debian/GNU Linux fix the vulnerabilities listed in CAN-2005-0021 and CAN-2005-0022: exim4 4.43-2 experimental exim4 4.34-10 unstable, testing exim 3.36-13 unstable, testing exim 3.35-1woody4 stable exim-tls 3.35-3woody3 stable Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Mannheim, Germany | lose things." Winona Ryder | Fon: *49 621 72739834 Nordisch by Nature | How to make an American Quilt | Fax: *49 621 72739835 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability idlabs-advisories (Jan 14)
- Re: iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability Marc Haber (Jan 16)
- Re: iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability Florian Weimer (Jan 16)
- Re: iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability Nick FitzGerald (Jan 16)
- <Possible follow-ups>
- iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability customer service mailbox (Jan 19)
- Re: iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability Marc Haber (Jan 16)