Re: iDEFENSE Security Advisory 01.14.05: Exim dns_buld_reverse() Buffer Overflow Vulnerability

[Marc Haber <mh+full-disclosure () zugschlus de>]

Hi,

On Fri, Jan 14, 2005 at 12:41:05PM -0500, idlabs-advisories () idefense com wrote:
> Exim dns_buld_reverse() Buffer Overflow Vulnerability 

That would have to be dns_build_reverse

> iDEFENSE Security Advisory 01.14.05
> www.idefense.com/application/poi/display?id=183&type=vulnerabilities

That web page is only viewable with JavaScript enabled, and is thus
unviewable with a browser configured to minimize the surfing risk. For
a security-related organization, I consider this poor design.

> /usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`

That one is syntactically invalid, and neither of the obvious fixes
does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08,
correctly complains that it is unable to parse the parameter as an
IPv6 address and exits with an exit code of 1. The same happens with a
locally built 4.41 without Debian patches.

> iDEFENSE has confirmed the existence of this vulnerability in Exim 
> versions 4.40 and 4.41. A source audit of version 4.42 suggests that it 
> is also vulnerable. It is suspected that earlier versions are also 
> vulnerable.

According to the upstream author's advisory, released ten days before
the date of the advisory I am replying to, 4.43 is vulnerable as well.

> V. WORKAROUND
>
> iDEFENSE is currently unaware of any effective workarounds for this 
> vulnerability.

However, exim's author has released a patch addressing this
vulnerability ten days before the release of the advisory stating
there are no effective workarounds.

So you are basically saying that the patch from Philip Hazel is
uneffective?

> VI. VENDOR RESPONSE
>
> A patch for Exim release 4.43 which addresses this vulnerability is
> available at:
>
>    http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html

Is that patch an effective workaround, or is it not?

> The patch will be incorporated into a future Exim release (4.50).

There is also an interim release 4.44 incorporating the patch:

http://www.exim.org/mail-archives/exim-announce/2005/msg00001.html

I find it also interesting that the release message references two
iDEFENSE notification messages which reference numbers have not been
included in the final advisory as released by iDEFENSE.

> > VII. CVE INFORMATION
>
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
> been assigned yet.

CAN-2005-0021 and CAN-2005-0022 have been assigned on 2005-01-04, ten
days before the date of the advisory stating that no CVE number has
been assigned.

> VIII. DISCLOSURE TIMELINE
>
> 09/30/2004  Initial vendor notification
> 09/30/2004  Initial vendor response
  01/04/2005  Vendor releases a patch
  01/14/2005  Vendor releases interim release incorporating the patch
> 01/14/2005  Public disclosure

> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.

I can fully understand that. The entire advisory seems to be _very_
sloppily prepared, or to have been unduly delayed and passed by
reality before it was finally released.

If this advisory addresses CAN-2005-0021 and/or CAN-2005-0022, it
should not have been released in the first place. If it addresses a
new vulnerability, it should be more clear in that regard. And it
should include code that actually allows to reproduce the vulnerability.

Just for the record:
The following package versions of exim and exim4 in Debian/GNU Linux
fix the vulnerabilities listed in CAN-2005-0021 and CAN-2005-0022:

exim4     4.43-2         experimental
exim4     4.34-10        unstable, testing
exim      3.36-13        unstable, testing
exim      3.35-1woody4   stable
exim-tls  3.35-3woody3   stable

Greetings
Marc

-- 
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html