Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [NSE] Check for CVE-2011-1764 - Exim DKIM Format String

From: Djalal Harouni <tixxdz () opendz org>
Date: Mon, 18 Jul 2011 13:18:08 +0100
On Mon, Jul 18, 2011 at 12:35:36PM +0200, Henri Doreau wrote:

2011/7/13 Djalal Harouni <tixxdz () opendz org>:

The script will cause the Exim child to segfault due to an invalid memory
reference, and perhaps with more debugging someone can achieve arbitrary
code execution.


Hi Djalal,

this is yet another cool script! I have a suggestion though. As it
seems that the exploit can't work against localhost that would
probably make sense to add a check before attempting to crash the
child process in order to avoid reporting false positives when testing
a server running on the local machine. In this case we should simply
rely on the banner/version detection results I think. Maybe add a
message to describe the situation as well.

I must say that I'm really lost here.

After a quick localhost test against Exim 4.72 (compiled from source) on
a guest machine running Ubuntu, the script reports that it's vulnerable!
And from a GDB session I confirm this.

I don't know what has changed ? I've tested several Exim versions, .deb
packages and from upstream sources with different configurations against
localhost, and after that against guests attached to my local network
(I've made a special configuration for that), and now by chance the script
reports that Exim v4.72 on localhost is vulnerable. Perhaps there was a bug
in the first version of the script, or perhaps I've changed some
configuration options ? :)

I've attached a sample log file to confirm this.


BTW I've made some small improvements and committed them as svn r24941:
o Check the port.version.product in the portrule to see if it matches
  the 'Exim smtpd'.
o If the script was not able to confirm the vulnerability but the Exim
  version is between 4.70 and 4.75, then report: "LIKELY VULNERABLE".

If you have any other suggestions, please let me know.

Thanks.


-- 
tixxdz
http://opendz.org

Attachment: exim_dkim_format_string.log
Description: 

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: