Bugtraq mailing list archives

Re: Security hole in exim 1.62: local root exploit

From: imp () ROVER VILLAGE ORG (Warner Losh)
Date: Tue, 22 Jul 1997 13:09:02 -0600


In message <Pine.SUN.3.94.970722085310.9339D-100000 () dfw dfw net> Aleph One writes:
: Summary: The latest released version of exim lets any local user obtain
: a root shell.

Here's a message from the author with a patch for this problem.  1.651
is the latest test release, btw.

Warner


Date: Tue, 22 Jul 1997 09:55:00 +0100 (BST)
From: Philip Hazel <ph10 () cus cam ac uk>
Reply-To: Philip Hazel <ph10 () cus cam ac uk>
To: exim-users () lists cam ac uk
Subject: Re: Hoo boy...
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII

Answering my mail didn't take up all the time till my meeting this
morning, leaving me time to develop a slightly different patch to the
one posted by Jawaid Bazyar. Here are versions for 1.62 and 1.651:

---snip--------------------------------------------------------------------

*** exim-1.62/src/parse.c   Wed Apr 16 14:34:49 1997
--- parse.c      Tue Jul 22 09:41:50 1997
***************
*** 1037,1042 ****
--- 1037,1048 ----
      int extracted;
      FILE *f;

+     if (len-9 > 255)
+       {
+       *error = "included file name is too long";
+       return -1;
+       }
+
      strncpy(filename, s+9, len-9);
      filename[len-9] = 0;

---snip--------------------------------------------------------------------

*** exim-1.651/src/parse.c  Fri Jul  4 16:33:56 1997
--- parse.c     Tue Jul 22 09:31:54 1997
***************
*** 1056,1061 ****
--- 1056,1067 ----
        *error = string_sprintf("file name missing after :include:");
        return -1;
        }
+
+     if (flen > 255)
+       {
+       *error = string_sprintf("included file name \"%s\" is too long", t);
+       return -1;
+       }

      strncpy(filename, t, flen);
      filename[flen] = 0;

---snip--------------------------------------------------------------------

--
Philip Hazel                   University Computing Service,
ph10 () cus cam ac uk             New Museums Site, Cambridge CB2 3QG,
P.Hazel () ucs cam ac uk          England.  Phone: +44 1223 334714

Current thread:

better snprintf replacement, anyone? Theo de Raadt (Jul 19)
- Re: better snprintf replacement, anyone? Steve \ (Jul 21)
  - Re: better snprintf replacement, anyone? Manoj Kasichainula (Jul 21)
  - Re: better snprintf replacement, anyone? Theo de Raadt (Jul 21)
  - Re: better snprintf replacement, anyone? Alan Cox (Jul 22)
  - Re: better snprintf replacement, anyone? James Bonfield (Jul 22)
  - ld.so vulnerability Aleph One (Jul 22)
  - Security hole in exim 1.62: local root exploit Aleph One (Jul 22)
    - Re: Security hole in exim 1.62: local root exploit Warner Losh (Jul 22)
    - Named Config Files Gus Huber (Jul 22)
    - Re: Named Config Files Aveek Datta (Jul 22)
- <Possible follow-ups>
- Re: better snprintf replacement, anyone? Bill Rugolsky Jr. (Jul 22)
  - Re: better snprintf replacement, anyone? Casper Dik (Jul 23)
- Re: better snprintf replacement, anyone? der Mouse (Jul 22)
- Re: better snprintf replacement, anyone? Sten Gunterberg (Jul 22)
- Re: better snprintf replacement, anyone? Peter Jeremy (Jul 22)
  - Re: better snprintf replacement, anyone? Theo de Raadt (Jul 22)
- Re: better snprintf replacement, anyone? der Mouse (Jul 22)