Vulnerabilities > CVE-2005-0021 - Unspecified vulnerability in University of Cambridge Exim 4.41/4.42

047910
CVSS 7.2 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
local
low complexity
university-of-cambridge
nessus
exploit available

Summary

Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.

Exploit-Db

  • descriptionExim <= 4.41 dns_build_reverse Local Exploit PoC. CVE-2005-0021. Local exploit for linux platform
    idEDB-ID:756
    last seen2016-01-31
    modified2005-01-15
    published2005-01-15
    reporterRafael Carrasco
    sourcehttps://www.exploit-db.com/download/756/
    titleExim <= 4.41 dns_build_reverse Local Exploit PoC
  • descriptionExim <= 4.41 dns_build_reverse Local Exploit. CVE-2005-0021. Local exploit for linux platform
    idEDB-ID:1009
    last seen2016-01-31
    modified2005-05-25
    published2005-05-25
    reporterPlugger
    sourcehttps://www.exploit-db.com/download/1009/
    titleExim <= 4.41 dns_build_reverse Local Exploit

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-002.NASL
    descriptionThis erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively. 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id62248
    published2012-09-24
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/62248
    titleFedora Core 3 : exim-4.43-1.FC3.1 (2005-002)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2005-002.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(62248);
      script_version("1.7");
      script_cvs_date("Date: 2019/08/02 13:32:23");
    
      script_cve_id("CVE-2005-0021", "CVE-2005-0022");
      script_xref(name:"FEDORA", value:"2005-002");
    
      script_name(english:"Fedora Core 3 : exim-4.43-1.FC3.1 (2005-002)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This erratum fixes two relatively minor security issues which were
    discovered in Exim in the last few weeks. The Common Vulnerabilities
    and Exposures project (cve.mitre.org) has assigned the names
    CVE-2005-0021 and CVE-2005-0022 to these, respectively.
    
    1. The function host_aton() can overflow a buffer if it is presented
    with an illegal IPv6 address that has more than 8 components.
    
    2. The second report described a buffer overflow in the function
    spa_base64_to_bits(), which is part of the code for SPA
    authentication. This code originated in the Samba project. The
    overflow can be exploited only if you are using SPA authentication.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/announce/2005-January/000587.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1811cf14"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-mon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-sa");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:3");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/09/24");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 3.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC3", reference:"exim-4.43-1.FC3.1")) flag++;
    if (rpm_check(release:"FC3", reference:"exim-debuginfo-4.43-1.FC3.1")) flag++;
    if (rpm_check(release:"FC3", reference:"exim-doc-4.43-1.FC3.1")) flag++;
    if (rpm_check(release:"FC3", reference:"exim-mon-4.43-1.FC3.1")) flag++;
    if (rpm_check(release:"FC3", reference:"exim-sa-4.43-1.FC3.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-debuginfo / exim-doc / exim-mon / exim-sa");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-637.NASL
    descriptionPhilip Hazel announced a buffer overflow in the host_aton function in exim-tls, the SSL-enabled version of the default mail-transport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address.
    last seen2020-06-01
    modified2020-06-02
    plugin id16155
    published2005-01-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16155
    titleDebian DSA-637-1 : exim-tls - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-637. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16155);
      script_version("1.16");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2005-0021");
      script_xref(name:"DSA", value:"637");
    
      script_name(english:"Debian DSA-637-1 : exim-tls - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Philip Hazel announced a buffer overflow in the host_aton function in
    exim-tls, the SSL-enabled version of the default mail-transport-agent
    in Debian, which can lead to the execution of arbitrary code via an
    illegal IPv6 address."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289046"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2005/dsa-637"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the exim-tls package.
    
    For the stable distribution (woody) this problem has been fixed in
    version 3.35-3woody3.
    
    In the unstable distribution (sid) this package does not exist
    anymore."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim-tls");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/13");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/13");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"exim-tls", reference:"3.35-3woody3")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-025.NASL
    descriptionUpdated exim packages that resolve security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow was discovered in the spa_base64_to_bits function in Exim, as originally obtained from Samba code. If SPA authentication is enabled, a remote attacker may be able to exploit this vulnerability to execute arbitrary code as the
    last seen2020-06-01
    modified2020-06-02
    plugin id17165
    published2005-02-22
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/17165
    titleRHEL 4 : exim (RHSA-2005:025)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2005:025. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(17165);
      script_version ("1.22");
      script_cvs_date("Date: 2019/10/25 13:36:10");
    
      script_cve_id("CVE-2005-0021", "CVE-2005-0022");
      script_xref(name:"RHSA", value:"2005:025");
    
      script_name(english:"RHEL 4 : exim (RHSA-2005:025)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated exim packages that resolve security issues are now available
    for Red Hat Enterprise Linux 4.
    
    This update has been rated as having moderate security impact by the
    Red Hat Security Response Team.
    
    Exim is a mail transport agent (MTA) developed at the University of
    Cambridge for use on Unix systems connected to the Internet.
    
    A buffer overflow was discovered in the spa_base64_to_bits function in
    Exim, as originally obtained from Samba code. If SPA authentication is
    enabled, a remote attacker may be able to exploit this vulnerability
    to execute arbitrary code as the 'exim' user. The Common
    Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
    name CVE-2005-0022 to this issue. Please note that SPA authentication
    is not enabled by default in Red Hat Enterprise Linux 4.
    
    Buffer overflow flaws were discovered in the host_aton and
    dns_build_reverse functions in Exim. A local user can trigger these
    flaws by executing exim with carefully crafted command line arguments
    and may be able to gain the privileges of the 'exim' account. The
    Common Vulnerabilities and Exposures project (cve.mitre.org) has
    assigned the name CVE-2005-0021 to this issue.
    
    Users of Exim are advised to update to these erratum packages which
    contain backported patches to correct these issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0021"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2005-0022"
      );
      # http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050103/msg00028.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?1855ef75"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2005:025"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-mon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-sa");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/05/02");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/02/15");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/22");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^4([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2005:025";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {
      flag = 0;
      if (rpm_check(release:"RHEL4", reference:"exim-4.43-1.RHEL4.3")) flag++;
      if (rpm_check(release:"RHEL4", reference:"exim-doc-4.43-1.RHEL4.3")) flag++;
      if (rpm_check(release:"RHEL4", reference:"exim-mon-4.43-1.RHEL4.3")) flag++;
      if (rpm_check(release:"RHEL4", reference:"exim-sa-4.43-1.RHEL4.3")) flag++;
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-doc / exim-mon / exim-sa");
      }
    }
    
  • NASL familySMTP problems
    NASL idEXIM_SPA_IPV6_OVERFLOW.NASL
    descriptionThe remote host is running Exim, a message transfer agent (SMTP). It is reported that Exim is prone to an IPv6 Address and an SPA authentication buffer overflow. An attacker, exploiting this issue, may be able to execute arbitrary code on the remote host. Exim must be configured with SPA Authentication or with IPv6 support to exploit those flaws. In addition, Exim is vulnerable to two local overflows in command line option handling. However, Nessus has not tested for these.
    last seen2020-06-01
    modified2020-06-02
    plugin id16111
    published2005-01-07
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16111
    titleExim < 4.44 Multiple Overflows
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
     script_id(16111);
     script_version("1.17");
     script_cvs_date("Date: 2018/07/10 14:27:33");
    
     script_cve_id("CVE-2005-0021", "CVE-2005-0022");
     script_bugtraq_id(12185,12188);
    
     script_name(english:"Exim < 4.44 Multiple Overflows");
     script_summary(english:"Exim Illegal IPv6 Address and SPA Authentication Buffer Overflow Vulnerabilities");
    
     script_set_attribute(attribute:"synopsis", value:"The remote mail server is vulnerable to a buffer overflow attack.");
     script_set_attribute(attribute:"description", value:
    "The remote host is running Exim, a message transfer agent (SMTP).
    
    It is reported that Exim is prone to an IPv6 Address and an SPA
    authentication buffer overflow. An attacker, exploiting this issue,
    may be able to execute arbitrary code on the remote host.
    
    Exim must be configured with SPA Authentication or with IPv6 support
    to exploit those flaws.
    
    In addition, Exim is vulnerable to two local overflows in command line
    option handling. However, Nessus has not tested for these.");
     script_set_attribute(attribute:"solution", value:"Upgrade to Exim 4.44 or newer");
     script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C");
     script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
     script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
     script_set_attribute(attribute:"exploit_available", value:"true");
    
     script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/06");
     script_set_attribute(attribute:"patch_publication_date", value:"2005/01/12");
     script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/07");
    
     script_set_attribute(attribute:"potential_vulnerability", value:"true");
     script_set_attribute(attribute:"plugin_type", value:"remote");
     script_set_attribute(attribute:"cpe", value:"cpe:/a:exim:exim");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"SMTP problems");
    
     script_dependencie("smtpserver_detect.nasl");
     script_require_keys("Settings/ParanoidReport");
     script_require_ports("Services/smtp", 25);
    
     exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("smtp_func.inc");
    
    #
    # RHEL 4, CentOS 4, and more ship wih a (patched) version of exim by default
    #
    if (report_paranoia < 2) audit(AUDIT_PARANOID);
    
    port = get_kb_item("Services/smtp");
    if(!port) port = 25;
    if (! get_port_state(port)) exit(0);
    
    banner = get_smtp_banner(port:port);
    if(!banner)exit(0);
    if ( "Exim" >!< banner  ) exit(0);
    
    if(egrep(pattern:"220.*Exim ([0-3]\.|4\.([0-9][^0-9]|[0-3][0-9]|4[0-3][^0-9]))", string:banner))
            security_hole(port);
    
    
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-56-1.NASL
    descriptionA flaw has been found in the host_aton() function, which can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. When supplying certain command line parameters, the input was not checked, so that a local attacker could possibly exploit the buffer overflow to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0021) Additionally, the BASE64 decoder in the SPA authentication handler did not check the size of its output buffer. By sending an invalid BASE64 authentication string, a remote attacker could overflow the buffer, which could possibly be exploited to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0022). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id20674
    published2006-01-15
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20674
    titleUbuntu 4.10 : exim4 vulnerabilities (USN-56-1)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Ubuntu Security Notice USN-56-1. The text 
    # itself is copyright (C) Canonical, Inc. See 
    # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered 
    # trademark of Canonical, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(20674);
      script_version("1.14");
      script_cvs_date("Date: 2019/08/02 13:33:00");
    
      script_cve_id("CVE-2005-0021", "CVE-2005-0022");
      script_xref(name:"USN", value:"56-1");
    
      script_name(english:"Ubuntu 4.10 : exim4 vulnerabilities (USN-56-1)");
      script_summary(english:"Checks dpkg output for updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Ubuntu host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "A flaw has been found in the host_aton() function, which can overflow
    a buffer if it is presented with an illegal IPv6 address that has more
    than 8 components. When supplying certain command line parameters, the
    input was not checked, so that a local attacker could possibly exploit
    the buffer overflow to run arbitrary code with the privileges of the
    Exim mail server. (CAN-2005-0021)
    
    Additionally, the BASE64 decoder in the SPA authentication handler did
    not check the size of its output buffer. By sending an invalid BASE64
    authentication string, a remote attacker could overflow the buffer,
    which could possibly be exploited to run arbitrary code with the
    privileges of the Exim mail server. (CAN-2005-0022).
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Ubuntu security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-base");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-config");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-heavy");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:exim4-daemon-light");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:eximon4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:4.10");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/07");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/01/15");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"Ubuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.");
      script_family(english:"Ubuntu Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("ubuntu.inc");
    include("misc_func.inc");
    
    if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/Ubuntu/release");
    if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu");
    release = chomp(release);
    if (! ereg(pattern:"^(4\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 4.10", "Ubuntu " + release);
    if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu);
    
    flag = 0;
    
    if (ubuntu_check(osver:"4.10", pkgname:"exim4", pkgver:"4.34-5ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"exim4-base", pkgver:"4.34-5ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"exim4-config", pkgver:"4.34-5ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"exim4-daemon-heavy", pkgver:"4.34-5ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"exim4-daemon-light", pkgver:"4.34-5ubuntu1.1")) flag++;
    if (ubuntu_check(osver:"4.10", pkgname:"eximon4", pkgver:"4.34-5ubuntu1.1")) flag++;
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : ubuntu_report_get()
      );
      exit(0);
    }
    else
    {
      tested = ubuntu_pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim4 / exim4-base / exim4-config / exim4-daemon-heavy / etc");
    }
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-635.NASL
    descriptionPhilip Hazel announced a buffer overflow in the host_aton function in exim, the default mail-transport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address.
    last seen2020-06-01
    modified2020-06-02
    plugin id16132
    published2005-01-12
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16132
    titleDebian DSA-635-1 : exim - buffer overflow
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-635. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16132);
      script_version("1.19");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2005-0021");
      script_xref(name:"DSA", value:"635");
    
      script_name(english:"Debian DSA-635-1 : exim - buffer overflow");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Philip Hazel announced a buffer overflow in the host_aton function in
    exim, the default mail-transport-agent in Debian, which can lead to
    the execution of arbitrary code via an illegal IPv6 address."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=289046"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2005/dsa-635"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Upgrade the exim and exim4 packages.
    
    For the stable distribution (woody) this problem has been fixed in
    version 3.35-1woody4."
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:exim");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/12");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.0", prefix:"exim", reference:"3.35-1woody4")) flag++;
    if (deb_check(release:"3.0", prefix:"eximon", reference:"3.35-1woody4")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL
    description1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.
    last seen2020-06-01
    modified2020-06-02
    plugin id19118
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/19118
    titleFreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from the FreeBSD VuXML database :
    #
    # Copyright 2003-2018 Jacques Vidrine and contributors
    #
    # Redistribution and use in source (VuXML) and 'compiled' forms (SGML,
    # HTML, PDF, PostScript, RTF and so forth) with or without modification,
    # are permitted provided that the following conditions are met:
    # 1. Redistributions of source code (VuXML) must retain the above
    #    copyright notice, this list of conditions and the following
    #    disclaimer as the first lines of this file unmodified.
    # 2. Redistributions in compiled form (transformed to other DTDs,
    #    published online in any format, converted to PDF, PostScript,
    #    RTF and other formats) must reproduce the above copyright
    #    notice, this list of conditions and the following disclaimer
    #    in the documentation and/or other materials provided with the
    #    distribution.
    # 
    # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS"
    # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
    # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
    # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS
    # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
    # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
    # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
    # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
    # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
    # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION,
    # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(19118);
      script_version("1.20");
      script_cvs_date("Date: 2019/08/02 13:32:37");
    
      script_cve_id("CVE-2005-0021", "CVE-2005-0022");
      script_bugtraq_id(12185, 12188, 12268);
    
      script_name(english:"FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)");
      script_summary(english:"Checks for updated packages in pkg_info output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote FreeBSD host is missing one or more security-related
    updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "1. The function host_aton() can overflow a buffer if it is presented
    with an illegal IPv6 address that has more than 8 components.
    
    2. The second report described a buffer overflow in the function
    spa_base64_to_bits(), which is part of the code for SPA
    authentication."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html"
      );
      # http://marc.theaimsgroup.com/?l=bugtraq&m=110573573800377
      script_set_attribute(
        attribute:"see_also",
        value:"https://marc.info/?l=bugtraq&m=110573573800377"
      );
      # https://vuxml.freebsd.org/freebsd/ca9ce879-5ebb-11d9-a01c-0050569f0001.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?60fdf1ac"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-ldap2");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-mysql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-postgresql");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:exim-sa-exim");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/05");
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/05");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/07/13");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"FreeBSD Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("freebsd_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD");
    if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (pkg_test(save_report:TRUE, pkg:"exim<4.43+28_1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"exim-ldap<4.43+28_1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"exim-ldap2<4.43+28_1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"exim-mysql<4.43+28_1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"exim-postgresql<4.43+28_1")) flag++;
    if (pkg_test(save_report:TRUE, pkg:"exim-sa-exim<4.43+28_1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-001.NASL
    descriptionThis erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively. 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id16113
    published2005-01-07
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16113
    titleFedora Core 2 : exim-4.43-1.FC2.1 (2005-001)
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory 2005-001.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16113);
      script_version ("1.14");
      script_cvs_date("Date: 2019/08/02 13:32:23");
    
      script_cve_id("CVE-2005-0021", "CVE-2005-0022");
      script_xref(name:"FEDORA", value:"2005-001");
    
      script_name(english:"Fedora Core 2 : exim-4.43-1.FC2.1 (2005-001)");
      script_summary(english:"Checks rpm output for the updated packages.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora Core host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This erratum fixes two relatively minor security issues which were
    discovered in Exim in the last few weeks. The Common Vulnerabilities
    and Exposures project (cve.mitre.org) has assigned the names
    CVE-2005-0021 and CVE-2005-0022 to these, respectively.
    
    1. The function host_aton() can overflow a buffer if it is presented
    with an illegal IPv6 address that has more than 8 components.
    
    2. The second report described a buffer overflow in the function
    spa_base64_to_bits(), which is part of the code for SPA
    authentication. This code originated in the Samba project. The
    overflow can be exploited only if you are using SPA authentication.
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora security advisory. Tenable
    has attempted to automatically clean and format it as much as possible
    without introducing additional issues."
      );
      # https://lists.fedoraproject.org/pipermail/announce/2005-January/000555.html
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?080b4ac1"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-debuginfo");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-mon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:exim-sa");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/06");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/01/07");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    flag = 0;
    if (rpm_check(release:"FC2", reference:"exim-4.43-1.FC2.1")) flag++;
    if (rpm_check(release:"FC2", reference:"exim-debuginfo-4.43-1.FC2.1")) flag++;
    if (rpm_check(release:"FC2", reference:"exim-doc-4.43-1.FC2.1")) flag++;
    if (rpm_check(release:"FC2", reference:"exim-mon-4.43-1.FC2.1")) flag++;
    if (rpm_check(release:"FC2", reference:"exim-sa-4.43-1.FC2.1")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-debuginfo / exim-doc / exim-mon / exim-sa");
    }
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200501-23.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200501-23 (Exim: Two buffer overflows) Buffer overflows have been found in the host_aton() function (CAN-2005-0021) as well as in the spa_base64_to_bits() function (CAN-2005-0022), which is part of the SPA authentication code. Impact : A local attacker could trigger the buffer overflow in host_aton() by supplying an illegal IPv6 address with more than 8 components, using a command line option. The second vulnerability could be remotely exploited during SPA authentication, if it is enabled on the server. Both buffer overflows can potentially lead to the execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id16414
    published2005-02-14
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/16414
    titleGLSA-200501-23 : Exim: Two buffer overflows
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Gentoo Linux Security Advisory GLSA 200501-23.
    #
    # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc.
    # and licensed under the Creative Commons - Attribution / Share Alike 
    # license. See http://creativecommons.org/licenses/by-sa/3.0/
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(16414);
      script_version("1.17");
      script_cvs_date("Date: 2019/08/02 13:32:42");
    
      script_cve_id("CVE-2005-0021", "CVE-2005-0022");
      script_xref(name:"GLSA", value:"200501-23");
    
      script_name(english:"GLSA-200501-23 : Exim: Two buffer overflows");
      script_summary(english:"Checks for updated package(s) in /var/db/pkg");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:
    "The remote Gentoo host is missing one or more security-related
    patches."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "The remote host is affected by the vulnerability described in GLSA-200501-23
    (Exim: Two buffer overflows)
    
        Buffer overflows have been found in the host_aton() function
        (CAN-2005-0021) as well as in the spa_base64_to_bits() function
        (CAN-2005-0022), which is part of the SPA authentication code.
      
    Impact :
    
        A local attacker could trigger the buffer overflow in host_aton()
        by supplying an illegal IPv6 address with more than 8 components, using
        a command line option. The second vulnerability could be remotely
        exploited during SPA authentication, if it is enabled on the server.
        Both buffer overflows can potentially lead to the execution of
        arbitrary code.
      
    Workaround :
    
        There is no known workaround at this time."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://security.gentoo.org/glsa/200501-23"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "All Exim users should upgrade to the latest version:
        # emerge --sync
        # emerge --ask --oneshot --verbose '>=mail-mta/exim-4.43-r2'"
      );
      script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:exim");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/01/12");
      script_set_attribute(attribute:"plugin_publication_date", value:"2005/02/14");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/01/06");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2005-2019 Tenable Network Security, Inc.");
      script_family(english:"Gentoo Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("qpkg.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
    if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    
    if (qpkg_check(package:"mail-mta/exim", unaffected:make_list("ge 4.43-r2"), vulnerable:make_list("lt 4.43-r2"))) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = qpkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Exim");
    }
    

Oval

accepted2013-04-29T04:04:52.267-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionMultiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.
familyunix
idoval:org.mitre.oval:def:10347
statusaccepted
submitted2010-07-09T03:56:16-04:00
titlePerl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched "\Q\E" sequences with orphan "\E" codes.
version27

Redhat

advisories
rhsa
idRHSA-2005:025
rpms
  • exim-0:4.43-1.RHEL4.3
  • exim-debuginfo-0:4.43-1.RHEL4.3
  • exim-doc-0:4.43-1.RHEL4.3
  • exim-mon-0:4.43-1.RHEL4.3
  • exim-sa-0:4.43-1.RHEL4.3