oss-sec mailing list archives
[CVE-2020-28018] Use-After-Free on Exim Question
From: null p0int3r <nullp0int3rx () gmail com>
Date: Tue, 11 May 2021 13:23:43 +0200
Hi, I have a question to the Qualys researchers that discovered and successfully achieved RCE on CVE-2020-28018 (Use-After-Free vulnerability on tls-openssl.c). This question is nor avisory related nor vulnerability discovery but about exploitation, so I am not sure if it is on the scope of this mailing list. I am developing a Proof-of-Concept exploit for the previously mentioned bug. I know once you reach tls_write() again, the UAF is lost as the pointer is NULL'ed "- finally, we send a MAIL FROM command whose response overwrites Exim's configuration with our arbitrary "${run{...}}" (which is eventually executed by expand_string())." In the advisory it says that you sent a second "MAIL FROM" command to the server so the response on tls_write() is written to the area pointed to by the s pointer on the UAF'ed gstring struct. So I suppose that command is the first you send after the second "STARTTLS" command being sent right? I was able to overwrite gstring struct using a "MAIL FROM" command but after the "STARTTLS", which makes it difficult to use the same response for it to overwrite the target buffer as a NULL byte not allowed message is returned instead. So my question in summary, you corrupted the gstring struct before the STARTTLS and then sent another MAIL FROM command after the STARTTLS? Or you used two "MAIL FROM" commands after the STARTTLS or a pipelined one both after? I guess pipelining cannot be used as you would first need a EHLO response saying the PIPELINING module is available. Doing so requires the use of tls_write() which means breaking the UAF. PD: Congrats for those nice bugs discovered. Thanks
Current thread:
- [CVE-2020-28018] Use-After-Free on Exim Question null p0int3r (May 11)
- Re: [CVE-2020-28018] Use-After-Free on Exim Question Solar Designer (May 11)
- Re: [CVE-2020-28018] Use-After-Free on Exim Question Qualys Security Advisory (May 11)
- Re: [CVE-2020-28018] Use-After-Free on Exim Question null p0int3r (May 11)
- Re: [CVE-2020-28018] Use-After-Free on Exim Question Qualys Security Advisory (May 11)
- Re: [CVE-2020-28018] Use-After-Free on Exim Question harris.johnson.x (May 12)
- Re: [CVE-2020-28018] Use-After-Free on Exim Question Qualys Security Advisory (May 12)
- Re: [CVE-2020-28018] Use-After-Free on Exim Question null p0int3r (May 11)