Vulnerabilities > CVE-2004-0399 - Unspecified vulnerability in University of Cambridge Exim 3.35

047910
CVSS 7.5 - HIGH
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
PARTIAL
Availability impact
PARTIAL
network
low complexity
university-of-cambridge
nessus
exploit available

Summary

Stack-based buffer overflow in Exim 3.35, and other versions before 4, when the sender_verify option is true, allows remote attackers to cause a denial of service and possibly execute arbitrary code during sender verification.

Vulnerable Configurations

Part Description Count
Application
University_Of_Cambridge
2

Exploit-Db

descriptionExim Sender 3.35 Verification Remote Stack Buffer Overrun Vulnerability. CVE-2004-0399. Remote exploit for linux platform
idEDB-ID:24093
last seen2016-02-02
modified2004-05-06
published2004-05-06
reporternewroot
sourcehttps://www.exploit-db.com/download/24093/
titleExim Sender 3.35 Verification Remote Stack Buffer Overrun Vulnerability

Nessus

  • NASL familySMTP problems
    NASL idEXIM_MULT_OVERFLOW.NASL
    descriptionThe remote version of Exim has multiple remote stack-based buffer overflow vulnerabilities when header syntax checking is enabled. It should be noted that this is not the default configuration. A remote attacker could exploit this to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id12232
    published2004-05-06
    reporterThis script is Copyright (C) 2004-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/12232
    titleExim < 3.36 / 4.33 Multiple Remote Overflows
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(12232);
     script_version("1.23");
     script_cvs_date("Date: 2018/11/15 20:50:24");
    
     script_cve_id("CVE-2004-0399", "CVE-2004-0400");
     script_xref(name:"Secunia", value:"11558");
    
     script_name(english:"Exim < 3.36 / 4.33 Multiple Remote Overflows");
     script_summary(english:"Exim Multiple Overflows");
    
     script_set_attribute(attribute:"synopsis", value:"The remote SMTP server has multiple buffer overflow vulnerabilities.");
     script_set_attribute(attribute:"description", value:
    "The remote version of Exim has multiple remote stack-based buffer
    overflow vulnerabilities when header syntax checking is enabled. It
    should be noted that this is not the default configuration. A remote
    attacker could exploit this to execute arbitrary code.");
     script_set_attribute(attribute:"see_also", value:"https://seclists.org/fulldisclosure/2004/May/270");
     script_set_attribute(attribute:"solution", value:
    "Upgrade to Exim 4.32 or later, or disable header syntax checking in
    exim.conf.");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2004/05/06");
     script_set_attribute(attribute:"plugin_publication_date", value:"2004/05/06");
    
     script_set_attribute(attribute:"potential_vulnerability", value:"true");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:exim:exim");
     script_end_attributes();
    
     script_category(ACT_MIXED_ATTACK);
     script_family(english:"SMTP problems");
    
     script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc.");
    
     script_dependencie("smtpserver_detect.nasl");	# should we use the result from smtpscan?
     script_require_keys("Settings/ParanoidReport");
     script_require_ports("Services/smtp", 25);
    
     exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("smtp_func.inc");
    
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_kb_item("Services/smtp");
    if(!port) port = 25;
    if (! get_port_state(port)) exit(0);
    
    banner = get_smtp_banner(port:port);
    if(!banner)exit(0);
    if (! egrep(string:banner, pattern:"Exim") ) exit(0);
    
    
    if (safe_checks()) {
        if(egrep(pattern:"220.*Exim ([0-2]\.|3\.([0-2][0-9]|3[0-5])|4\.([0-2][0-9]|3[0-2]))", string:banner))
        {
          report = string("\nNessus verified this solely by checking the banner.\n");
          security_warning(port);
        }
    
        exit(0);
    } else {
        soc = open_sock_tcp(port);
        if (!soc) exit(0);
        banner = smtp_recv_line(socket:soc);
        if ( ! banner ) exit(0);
    
        req = string("HELO x.x.x.x\r\n");
        req += string("MAIL FROM: ", crap(300), "@nessus.org\r\n\r\n");
        req += string("RCPT TO: web@localhost\r\n");
        req += string("DATA\r\n");
        req += string("blahblah\r\n.\r\nQUIT\r\n");
        send(socket:soc, data:req);
        r = recv_line(socket:soc, length:512);
        if (!r) { security_warning(port); exit(0); }
        close(soc);
    
        # non-safe check # 2
        req = string("HELO x.x.x.x\r\n");
        req += string("MAIL FROM: [email protected]\r\n");
        req += string("RCPT TO: web@localhost\r\n");
        req += string("DATA\r\n");
        req += string("From", crap(data:" ", length:275), ":nessus\r\n");
        req += string("blahblah\r\n.\r\nQUIT\r\n");
        soc = open_sock_tcp(port);
        if (!soc) { security_warning(port); exit(0); }
        banner = smtp_recv_line(socket:soc);
        if ( ! banner ) exit(0);
        send(socket:soc, data:req);
        r = recv_line(socket:soc, length:512);
        if (!r) { security_warning(port); exit(0); }
        close (soc);
    
        # non-safe check # 3
        req = string("HELO x.x.x.x\r\n");
        req += string("MAIL FROM: [email protected]\r\n");
        req += string("RCPT TO: web@localhost\r\n");
        req += string("DATA\r\n");
        req += string("From", crap(data:" ", length:275), ":nessus\r\n");
        req += string("blahblah\r\n.\r\nQUIT\r\n");
        soc = open_sock_tcp(port);
        if (!soc) { security_warning(port); exit(0); }
        banner = smtp_recv_line(socket:soc);
        if ( ! banner ) exit(0);
        send(socket:soc, data:req);
        r = recv_line(socket:soc, length:512);
        if (!r) { security_warning(port); exit(0); }
        close (soc);
        exit(0);
    }
    
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-502.NASL
    descriptionGeorgi Guninski discovered two stack-based buffer overflows in exim and exim-tls. They cannot be exploited with the default configuration from the Debian system, though. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2004-0399 When
    last seen2020-06-01
    modified2020-06-02
    plugin id15339
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15339
    titleDebian DSA-502-1 : exim-tls - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-502. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15339);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2004-0399", "CVE-2004-0400");
      script_bugtraq_id(10290, 10291);
      script_xref(name:"DSA", value:"502");
    
      script_name(english:"Debian DSA-502-1 : exim-tls - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Georgi Guninski discovered two stack-based buffer overflows in exim
    and exim-tls. They cannot be exploited with the default configuration
    from the Debian system, though. The Common Vulnerabilities and
    Exposures project identifies the following problems that are fixed
    with this update :
    
      - CAN-2004-0399
        When 'sender_verify = true' is configured in exim.conf a
        buffer overflow can happen during verification of the
        sender. This problem is fixed in exim 4.
    
      - CAN-2004-0400
    
        When headers_check_syntax is configured in exim.conf a
        buffer overflow can happen during the header check. This
        problem does also exist in exim 4."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2004/dsa-502"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the exim-tls package.
    
    For the stable distribution (woody) these problems have been fixed in
    version 3.35-3woody2."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:ND");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim-tls");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/05/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"exim-tls", reference:"3.35-3woody2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-501.NASL
    descriptionGeorgi Guninski discovered two stack-based buffer overflows. They can not be exploited with the default configuration from the Debian system, though. The Common Vulnerabilities and Exposures project identifies the following problems that are fixed with this update : - CAN-2004-0399 When
    last seen2020-06-01
    modified2020-06-02
    plugin id15338
    published2004-09-29
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/15338
    titleDebian DSA-501-1 : exim - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-501. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(15338);
      script_version("1.23");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2004-0399", "CVE-2004-0400");
      script_bugtraq_id(10290, 10291);
      script_xref(name:"DSA", value:"501");
    
      script_name(english:"Debian DSA-501-1 : exim - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Georgi Guninski discovered two stack-based buffer overflows. They can
    not be exploited with the default configuration from the Debian
    system, though. The Common Vulnerabilities and Exposures project
    identifies the following problems that are fixed with this update :
    
      - CAN-2004-0399
        When 'sender_verify = true' is configured in exim.conf a
        buffer overflow can happen during verification of the
        sender. This problem is fixed in exim 4.
    
      - CAN-2004-0400
    
        When headers_check_syntax is configured in exim.conf a
        buffer overflow can happen during the header check. This
        problem does also exist in exim 4."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2004/dsa-501"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the exim package.
    
    For the stable distribution (woody) these problems have been fixed in
    version 3.35-1woody3."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2004/05/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29");
      script_set_attribute(attribute:"vuln_publication_date", value:"2004/05/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"exim", reference:"3.35-1woody3")) flag++;
    if (deb_check(release:"3.0", prefix:"eximon", reference:"3.35-1woody3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");