Nmap Development mailing list archives
Re: [NSE] Check for CVE-2011-1764 - Exim DKIM Format String
From: Djalal Harouni <tixxdz () opendz org>
Date: Mon, 18 Jul 2011 13:18:08 +0100
On Mon, Jul 18, 2011 at 12:35:36PM +0200, Henri Doreau wrote:
2011/7/13 Djalal Harouni <tixxdz () opendz org>:The script will cause the Exim child to segfault due to an invalid memory reference, and perhaps with more debugging someone can achieve arbitrary code execution.Hi Djalal, this is yet another cool script! I have a suggestion though. As it seems that the exploit can't work against localhost that would probably make sense to add a check before attempting to crash the child process in order to avoid reporting false positives when testing a server running on the local machine. In this case we should simply rely on the banner/version detection results I think. Maybe add a message to describe the situation as well.
I must say that I'm really lost here. After a quick localhost test against Exim 4.72 (compiled from source) on a guest machine running Ubuntu, the script reports that it's vulnerable! And from a GDB session I confirm this. I don't know what has changed ? I've tested several Exim versions, .deb packages and from upstream sources with different configurations against localhost, and after that against guests attached to my local network (I've made a special configuration for that), and now by chance the script reports that Exim v4.72 on localhost is vulnerable. Perhaps there was a bug in the first version of the script, or perhaps I've changed some configuration options ? :) I've attached a sample log file to confirm this. BTW I've made some small improvements and committed them as svn r24941: o Check the port.version.product in the portrule to see if it matches the 'Exim smtpd'. o If the script was not able to confirm the vulnerability but the Exim version is between 4.70 and 4.75, then report: "LIKELY VULNERABLE". If you have any other suggestions, please let me know. Thanks. -- tixxdz http://opendz.org
Attachment:
exim_dkim_format_string.log
Description:
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- [NSE] Check for CVE-2011-1764 - Exim DKIM Format String Djalal Harouni (Jul 12)
- Re: [NSE] Check for CVE-2011-1764 - Exim DKIM Format String Djalal Harouni (Jul 18)
- Re: [NSE] Check for CVE-2011-1764 - Exim DKIM Format String Henri Doreau (Jul 18)
- Re: [NSE] Check for CVE-2011-1764 - Exim DKIM Format String Djalal Harouni (Jul 18)