Vulnerabilities > CVE-2005-0021 - Unspecified vulnerability in University of Cambridge Exim 4.41/4.42
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 3 |
Exploit-Db
description Exim <= 4.41 dns_build_reverse Local Exploit PoC. CVE-2005-0021. Local exploit for linux platform id EDB-ID:756 last seen 2016-01-31 modified 2005-01-15 published 2005-01-15 reporter Rafael Carrasco source https://www.exploit-db.com/download/756/ title Exim <= 4.41 dns_build_reverse Local Exploit PoC description Exim <= 4.41 dns_build_reverse Local Exploit. CVE-2005-0021. Local exploit for linux platform id EDB-ID:1009 last seen 2016-01-31 modified 2005-05-25 published 2005-05-25 reporter Plugger source https://www.exploit-db.com/download/1009/ title Exim <= 4.41 dns_build_reverse Local Exploit
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2005-002.NASL description This erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively. 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 62248 published 2012-09-24 reporter This script is Copyright (C) 2012-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/62248 title Fedora Core 3 : exim-4.43-1.FC3.1 (2005-002) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2005-002. # include("compat.inc"); if (description) { script_id(62248); script_version("1.7"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2005-0021", "CVE-2005-0022"); script_xref(name:"FEDORA", value:"2005-002"); script_name(english:"Fedora Core 3 : exim-4.43-1.FC3.1 (2005-002)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "This erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively. 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2005-January/000587.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1811cf14" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-mon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-sa"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:3"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/24"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 3.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC3", reference:"exim-4.43-1.FC3.1")) flag++; if (rpm_check(release:"FC3", reference:"exim-debuginfo-4.43-1.FC3.1")) flag++; if (rpm_check(release:"FC3", reference:"exim-doc-4.43-1.FC3.1")) flag++; if (rpm_check(release:"FC3", reference:"exim-mon-4.43-1.FC3.1")) flag++; if (rpm_check(release:"FC3", reference:"exim-sa-4.43-1.FC3.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-debuginfo / exim-doc / exim-mon / exim-sa"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-637.NASL description Philip Hazel announced a buffer overflow in the host_aton function in exim-tls, the SSL-enabled version of the default mail-transport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address. last seen 2020-06-01 modified 2020-06-02 plugin id 16155 published 2005-01-13 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16155 title Debian DSA-637-1 : exim-tls - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-637. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(16155); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-0021"); script_xref(name:"DSA", value:"637"); script_name(english:"Debian DSA-637-1 : exim-tls - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Philip Hazel announced a buffer overflow in the host_aton function in exim-tls, the SSL-enabled version of the default mail-transport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289046" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-637" ); script_set_attribute( attribute:"solution", value: "Upgrade the exim-tls package. For the stable distribution (woody) this problem has been fixed in version 3.35-3woody3. In the unstable distribution (sid) this package does not exist anymore." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim-tls"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/13"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/13"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"exim-tls", reference:"3.35-3woody3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2005-025.NASL description Updated exim packages that resolve security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow was discovered in the spa_base64_to_bits function in Exim, as originally obtained from Samba code. If SPA authentication is enabled, a remote attacker may be able to exploit this vulnerability to execute arbitrary code as the last seen 2020-06-01 modified 2020-06-02 plugin id 17165 published 2005-02-22 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/17165 title RHEL 4 : exim (RHSA-2005:025) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2005:025. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(17165); script_version ("1.22"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2005-0021", "CVE-2005-0022"); script_xref(name:"RHSA", value:"2005:025"); script_name(english:"RHEL 4 : exim (RHSA-2005:025)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated exim packages that resolve security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow was discovered in the spa_base64_to_bits function in Exim, as originally obtained from Samba code. If SPA authentication is enabled, a remote attacker may be able to exploit this vulnerability to execute arbitrary code as the 'exim' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0022 to this issue. Please note that SPA authentication is not enabled by default in Red Hat Enterprise Linux 4. Buffer overflow flaws were discovered in the host_aton and dns_build_reverse functions in Exim. A local user can trigger these flaws by executing exim with carefully crafted command line arguments and may be able to gain the privileges of the 'exim' account. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0021 to this issue. Users of Exim are advised to update to these erratum packages which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0021" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2005-0022" ); # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050103/msg00028.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1855ef75" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2005:025" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-mon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-sa"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02"); script_set_attribute(attribute:"patch_publication_date", value:"2005/02/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/22"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2005:025"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL4", reference:"exim-4.43-1.RHEL4.3")) flag++; if (rpm_check(release:"RHEL4", reference:"exim-doc-4.43-1.RHEL4.3")) flag++; if (rpm_check(release:"RHEL4", reference:"exim-mon-4.43-1.RHEL4.3")) flag++; if (rpm_check(release:"RHEL4", reference:"exim-sa-4.43-1.RHEL4.3")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-doc / exim-mon / exim-sa"); } }NASL family SMTP problems NASL id EXIM_SPA_IPV6_OVERFLOW.NASL description The remote host is running Exim, a message transfer agent (SMTP). It is reported that Exim is prone to an IPv6 Address and an SPA authentication buffer overflow. An attacker, exploiting this issue, may be able to execute arbitrary code on the remote host. Exim must be configured with SPA Authentication or with IPv6 support to exploit those flaws. In addition, Exim is vulnerable to two local overflows in command line option handling. However, Nessus has not tested for these. last seen 2020-06-01 modified 2020-06-02 plugin id 16111 published 2005-01-07 reporter This script is Copyright (C) 2005-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16111 title Exim < 4.44 Multiple Overflows code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(16111); script_version("1.17"); script_cvs_date("Date: 2018/07/10 14:27:33"); script_cve_id("CVE-2005-0021", "CVE-2005-0022"); script_bugtraq_id(12185,12188); script_name(english:"Exim < 4.44 Multiple Overflows"); script_summary(english:"Exim Illegal IPv6 Address and SPA Authentication Buffer Overflow Vulnerabilities"); script_set_attribute(attribute:"synopsis", value:"The remote mail server is vulnerable to a buffer overflow attack."); script_set_attribute(attribute:"description", value: "The remote host is running Exim, a message transfer agent (SMTP). It is reported that Exim is prone to an IPv6 Address and an SPA authentication buffer overflow. An attacker, exploiting this issue, may be able to execute arbitrary code on the remote host. Exim must be configured with SPA Authentication or with IPv6 support to exploit those flaws. In addition, Exim is vulnerable to two local overflows in command line option handling. However, Nessus has not tested for these."); script_set_attribute(attribute:"solution", value:"Upgrade to Exim 4.44 or newer"); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/06"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/07"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:exim:exim"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc."); script_family(english:"SMTP problems"); script_dependencie("smtpserver_detect.nasl"); script_require_keys("Settings/ParanoidReport"); script_require_ports("Services/smtp", 25); exit(0); } include("audit.inc"); include("global_settings.inc"); include("smtp_func.inc"); # # RHEL 4, CentOS 4, and more ship wih a (patched) version of exim by default # if (report_paranoia < 2) audit(AUDIT_PARANOID); port = get_kb_item("Services/smtp"); if(!port) port = 25; if (! get_port_state(port)) exit(0); banner = get_smtp_banner(port:port); if(!banner)exit(0); if ( "Exim" >!< banner ) exit(0); if(egrep(pattern:"220.*Exim ([0-3]\.|4\.([0-9][^0-9]|[0-3][0-9]|4[0-3][^0-9]))", string:banner)) security_hole(port);NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-56-1.NASL description A flaw has been found in the host_aton() function, which can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. When supplying certain command line parameters, the input was not checked, so that a local attacker could possibly exploit the buffer overflow to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0021) Additionally, the BASE64 decoder in the SPA authentication handler did not check the size of its output buffer. By sending an invalid BASE64 authentication string, a remote attacker could overflow the buffer, which could possibly be exploited to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0022). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 20674 published 2006-01-15 reporter Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/20674 title Ubuntu 4.10 : exim4 vulnerabilities (USN-56-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-56-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(20674); script_version("1.14"); script_cvs_date("Date: 2019/08/02 13:33:00"); script_cve_id("CVE-2005-0021", "CVE-2005-0022"); script_xref(name:"USN", value:"56-1"); script_name(english:"Ubuntu 4.10 : exim4 vulnerabilities (USN-56-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "A flaw has been found in the host_aton() function, which can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. When supplying certain command line parameters, the input was not checked, so that a local attacker could possibly exploit the buffer overflow to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0021) Additionally, the BASE64 decoder in the SPA authentication handler did not check the size of its output buffer. By sending an invalid BASE64 authentication string, a remote attacker could overflow the buffer, which could possibly be exploited to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0022). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-base"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-config"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:eximon4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"4.10", pkgname:"exim4", pkgver:"4.34-5ubuntu1.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"exim4-base", pkgver:"4.34-5ubuntu1.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"exim4-config", pkgver:"4.34-5ubuntu1.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"exim4-daemon-heavy", pkgver:"4.34-5ubuntu1.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"exim4-daemon-light", pkgver:"4.34-5ubuntu1.1")) flag++; if (ubuntu_check(osver:"4.10", pkgname:"eximon4", pkgver:"4.34-5ubuntu1.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim4 / exim4-base / exim4-config / exim4-daemon-heavy / etc"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-635.NASL description Philip Hazel announced a buffer overflow in the host_aton function in exim, the default mail-transport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address. last seen 2020-06-01 modified 2020-06-02 plugin id 16132 published 2005-01-12 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16132 title Debian DSA-635-1 : exim - buffer overflow code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-635. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(16132); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2005-0021"); script_xref(name:"DSA", value:"635"); script_name(english:"Debian DSA-635-1 : exim - buffer overflow"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Philip Hazel announced a buffer overflow in the host_aton function in exim, the default mail-transport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address." ); script_set_attribute( attribute:"see_also", value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289046" ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2005/dsa-635" ); script_set_attribute( attribute:"solution", value: "Upgrade the exim and exim4 packages. For the stable distribution (woody) this problem has been fixed in version 3.35-1woody4." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/12"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"exim", reference:"3.35-1woody4")) flag++; if (deb_check(release:"3.0", prefix:"eximon", reference:"3.35-1woody4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL description 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. last seen 2020-06-01 modified 2020-06-02 plugin id 19118 published 2005-07-13 reporter This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/19118 title FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(19118); script_version("1.20"); script_cvs_date("Date: 2019/08/02 13:32:37"); script_cve_id("CVE-2005-0021", "CVE-2005-0022"); script_bugtraq_id(12185, 12188, 12268); script_name(english:"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)"); script_summary(english:"Checks for updated packages in pkg_info output"); script_set_attribute( attribute:"synopsis", value: "The remote FreeBSD host is missing one or more security-related updates." ); script_set_attribute( attribute:"description", value: "1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication." ); script_set_attribute( attribute:"see_also", value:"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html" ); # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377 script_set_attribute( attribute:"see_also", value:"https://marc.info/?l=bugtraq&m=110573573800377" ); # https://vuxml.freebsd.org/freebsd/ca9ce879-5ebb-11d9-a01c-0050569f0001.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?60fdf1ac" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-ldap2"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-mysql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-postgresql"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-sa-exim"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/05"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"exim<4.43+28_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"exim-ldap<4.43+28_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"exim-ldap2<4.43+28_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"exim-mysql<4.43+28_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"exim-postgresql<4.43+28_1")) flag++; if (pkg_test(save_report:TRUE, pkg:"exim-sa-exim<4.43+28_1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2005-001.NASL description This erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively. 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 16113 published 2005-01-07 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16113 title Fedora Core 2 : exim-4.43-1.FC2.1 (2005-001) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2005-001. # include("compat.inc"); if (description) { script_id(16113); script_version ("1.14"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2005-0021", "CVE-2005-0022"); script_xref(name:"FEDORA", value:"2005-001"); script_name(english:"Fedora Core 2 : exim-4.43-1.FC2.1 (2005-001)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "This erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively. 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2005-January/000555.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?080b4ac1" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-mon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-sa"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC2", reference:"exim-4.43-1.FC2.1")) flag++; if (rpm_check(release:"FC2", reference:"exim-debuginfo-4.43-1.FC2.1")) flag++; if (rpm_check(release:"FC2", reference:"exim-doc-4.43-1.FC2.1")) flag++; if (rpm_check(release:"FC2", reference:"exim-mon-4.43-1.FC2.1")) flag++; if (rpm_check(release:"FC2", reference:"exim-sa-4.43-1.FC2.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-debuginfo / exim-doc / exim-mon / exim-sa"); }NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200501-23.NASL description The remote host is affected by the vulnerability described in GLSA-200501-23 (Exim: Two buffer overflows) Buffer overflows have been found in the host_aton() function (CAN-2005-0021) as well as in the spa_base64_to_bits() function (CAN-2005-0022), which is part of the SPA authentication code. Impact : A local attacker could trigger the buffer overflow in host_aton() by supplying an illegal IPv6 address with more than 8 components, using a command line option. The second vulnerability could be remotely exploited during SPA authentication, if it is enabled on the server. Both buffer overflows can potentially lead to the execution of arbitrary code. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 16414 published 2005-02-14 reporter This script is Copyright (C) 2005-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/16414 title GLSA-200501-23 : Exim: Two buffer overflows code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200501-23. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(16414); script_version("1.17"); script_cvs_date("Date: 2019/08/02 13:32:42"); script_cve_id("CVE-2005-0021", "CVE-2005-0022"); script_xref(name:"GLSA", value:"200501-23"); script_name(english:"GLSA-200501-23 : Exim: Two buffer overflows"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200501-23 (Exim: Two buffer overflows) Buffer overflows have been found in the host_aton() function (CAN-2005-0021) as well as in the spa_base64_to_bits() function (CAN-2005-0022), which is part of the SPA authentication code. Impact : A local attacker could trigger the buffer overflow in host_aton() by supplying an illegal IPv6 address with more than 8 components, using a command line option. The second vulnerability could be remotely exploited during SPA authentication, if it is enabled on the server. Both buffer overflows can potentially lead to the execution of arbitrary code. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html" ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200501-23" ); script_set_attribute( attribute:"solution", value: "All Exim users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=mail-mta/exim-4.43-r2'" ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:exim"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2005/01/12"); script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/14"); script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"mail-mta/exim", unaffected:make_list("ge 4.43-r2"), vulnerable:make_list("lt 4.43-r2"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Exim"); }
Oval
| accepted | 2013-04-29T04:04:52.267-04:00 | ||||||||||||
| class | vulnerability | ||||||||||||
| contributors |
| ||||||||||||
| definition_extensions |
| ||||||||||||
| description | Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function. | ||||||||||||
| family | unix | ||||||||||||
| id | oval:org.mitre.oval:def:10347 | ||||||||||||
| status | accepted | ||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
| title | Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched "\Q\E" sequences with orphan "\E" codes. | ||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||
| rpms |
|
References
- http://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44
- http://security.gentoo.org/glsa/glsa-200501-23.xml
- http://www.debian.org/security/2005/dsa-635
- http://www.debian.org/security/2005/dsa-637
- http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050103/msg00028.html
- http://www.idefense.com/application/poi/display?id=179&type=vulnerabilities
- http://www.idefense.com/application/poi/display?id=183&type=vulnerabilities
- http://www.kb.cert.org/vuls/id/132992
- http://www.redhat.com/support/errata/RHSA-2005-025.html
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10347