Vulnerabilities > CVE-2011-1407 - Improper Input Validation vulnerability in Exim
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The DKIM implementation in Exim 4.7x before 4.76 permits matching for DKIM identities to apply to lookup items, instead of only strings, which allows remote attackers to execute arbitrary code or access a filesystem via a crafted identity.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 6 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Buffer Overflow via Environment Variables This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
- Server Side Include (SSI) Injection An attacker can use Server Side Include (SSI) Injection to send code to a web application that then gets executed by the web server. Doing so enables the attacker to achieve similar results to Cross Site Scripting, viz., arbitrary code execution and information disclosure, albeit on a more limited scale, since the SSI directives are nowhere near as powerful as a full-fledged scripting language. Nonetheless, the attacker can conveniently gain access to sensitive files, such as password files, and execute shell commands.
- Cross Zone Scripting An attacker is able to cause a victim to load content into their web-browser that bypasses security zone controls and gain access to increased privileges to execute scripting code or other web objects such as unsigned ActiveX controls or applets. This is a privilege elevation attack targeted at zone-based web-browser security. In a zone-based model, pages belong to one of a set of zones corresponding to the level of privilege assigned to that page. Pages in an untrusted zone would have a lesser level of access to the system and/or be restricted in the types of executable content it was allowed to invoke. In a cross-zone scripting attack, a page that should be assigned to a less privileged zone is granted the privileges of a more trusted zone. This can be accomplished by exploiting bugs in the browser, exploiting incorrect configuration in the zone controls, through a cross-site scripting attack that causes the attackers' content to be treated as coming from a more trusted page, or by leveraging some piece of system functionality that is accessible from both the trusted and less trusted zone. This attack differs from "Restful Privilege Escalation" in that the latter correlates to the inadequate securing of RESTful access methods (such as HTTP DELETE) on the server, while cross-zone scripting attacks the concept of security zones as implemented by a browser.
- Cross Site Scripting through Log Files An attacker may leverage a system weakness where logs are susceptible to log injection to insert scripts into the system's logs. If these logs are later viewed by an administrator through a thin administrative interface and the log data is not properly HTML encoded before being written to the page, the attackers' scripts stored in the log will be executed in the administrative interface with potentially serious consequences. This attack pattern is really a combination of two other attack patterns: log injection and stored cross site scripting.
- Command Line Execution through SQL Injection An attacker uses standard SQL injection methods to inject data into the command line for execution. This could be done directly through misuse of directives such as MSSQL_xp_cmdshell or indirectly through injection of data into the database that would be interpreted as shell commands. Sometime later, an unscrupulous backend application (or could be part of the functionality of the same application) fetches the injected data stored in the database and uses this data as command line arguments without performing proper validation. The malicious data escapes that data plane by spawning new commands to be executed on the host.
Nessus
NASL family SMTP problems NASL id EXIM_4_76.NASL description Based on its response to a specially formatted mail message, the Exim mail server listening on this port appears to be affected by a format string vulnerability. The vulnerability is due to a failure in the dkim_exim_verify_finish() function to properly sanitize format string specifiers in the DKIM-Signature header. A remote attacker can exploit this by sending a specially crafted email, resulting in the execution of arbitrary code as the Exim run-time user. last seen 2020-06-01 modified 2020-06-02 plugin id 53856 published 2011-05-10 reporter This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53856 title Exim < 4.76 dkim_exim_verify_finish() DKIM-Signature Header Format String code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(53856); script_version("1.15"); script_cvs_date("Date: 2018/07/10 14:27:33"); script_cve_id("CVE-2011-1407", "CVE-2011-1764"); script_bugtraq_id(47736, 47836); script_name(english:"Exim < 4.76 dkim_exim_verify_finish() DKIM-Signature Header Format String"); script_summary(english:"Attempts to trigger a logging error with a specially crafted message."); script_set_attribute(attribute:"synopsis", value: "The remote mail server is potentially affected by a format string vulnerability."); script_set_attribute(attribute:"description", value: "Based on its response to a specially formatted mail message, the Exim mail server listening on this port appears to be affected by a format string vulnerability. The vulnerability is due to a failure in the dkim_exim_verify_finish() function to properly sanitize format string specifiers in the DKIM-Signature header. A remote attacker can exploit this by sending a specially crafted email, resulting in the execution of arbitrary code as the Exim run-time user."); script_set_attribute(attribute:"see_also", value:"ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.76"); script_set_attribute(attribute:"see_also", value:"https://lists.exim.org/lurker/message/20110506.112357.e99a8db1.en.html"); script_set_attribute(attribute:"see_also", value:"http://bugs.exim.org/show_bug.cgi?id=1106"); script_set_attribute(attribute:"solution", value:"Upgrade to Exim 4.76 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/06"); script_set_attribute(attribute:"patch_publication_date", value:"2011/05/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/10"); script_set_attribute(attribute:"cpe", value:"cpe:/a:exim:exim"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smtpserver_detect.nasl"); script_require_ports("Services/smtp", 25); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("smtp_func.inc"); include("audit.inc"); include("data_protection.inc"); port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE); if (report_paranoia < 2) { banner = get_smtp_banner(port:port); if (!banner) audit(AUDIT_NO_BANNER, port); if ("Exim" >!< banner) audit(AUDIT_NOT_LISTEN, "Exim SMTP server", port); } soc = smtp_open(port:port, helo:"nessus"); if (isnull(soc)) audit(AUDIT_SOCK_FAIL, port); sentFrom = smtp_from_header(); if (sentFrom !~ ' *<.*> *') sentFrom = strcat('<', sentFrom, '>'); s = 'MAIL FROM: ' + sentFrom; send(socket:soc, data:s+'\r\n'); res = smtp_recv_line(socket:soc); if (!ereg(pattern:"^2[0-9][0-9] ", string:res)) { smtp_close(socket:soc); audit(AUDIT_RESP_BAD, port, s); } sentTo = smtp_to_header(); if (sentTo !~ ' *<.*> *') sentTo = strcat('<', sentTo, '>'); s = 'RCPT TO: ' + sentTo; send(socket:soc, data:s+'\r\n'); res = smtp_recv_line(socket:soc); if (!ereg(pattern:"^2[0-9][0-9] ", string:res)) { # If we don't have a valid email and are paranoid, do a banner # version check and report if it is vulnerable, otherwise # output why we can't test the server. smtp_close(socket:soc); if (report_paranoia >= 2) { banner = get_smtp_banner(port: port); match = eregmatch(string:banner, pattern:"Exim ([0-9.]+)"); if (!isnull(match) && !isnull(match[1])) { version = match[1]; if (ver_compare(ver:version, fix:"4.76", strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Detected version : ' + version + '\n Fixed version : 4.76' + '\n\nNote that since this is a paranoid scan, Nessus is simply checking' + '\nthe version reported in the SMTP banner. The relevant security patches' + '\nmay have been backported to this version of Exim.'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } } } exit(0, "The SMTP server listening on port " + port + " did not accept " + sentTo + " as a recipient email address, so Nessus cannot test if the server is vulnerable."); } s = 'DATA'; send(socket:soc, data:s+'\r\n'); res = smtp_recv_line(socket:soc); if (!ereg(pattern:"^3[0-9][0-9] ", string:res)) { smtp_close(socket:soc); audit(AUDIT_RESP_BAD, port, s); } s = 'Received: by yie12 with SMTP id 12so190696yie.13 for ' + sentTo + '; Wed, 11 May 2011 06:18:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=%500\x41\x41\x41\x41\x90\xcc; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=4+g71bvahrOIdgAhK4QD/CMmWBPBAvCruof/ZhV//9w=; b=TnH5TyLdO0YfhL8AikMmTDd8+sy5alXPU0aUOeSssCDrVQlGixnxAMLjPrcuSUj2PU 9zJKX0XbKk1od1xJiD9dQlpfWWe9l8WVODU/hmIIpy3fpDkuYDNAd0XUipEYfFbUI4Qu jx+ZWRaFXf1dEdoLqoPKo+1H5AbSxSGXMK12o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=%500\x41\x41\x41\x41\x90\xcc; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=M7SLRBsvj5q14K6eA5D0eehxMpL2YjdAb8ggBaRy97WwomH/4BMAGtu02CTazxZGFA DBsIi6F6f9F0pzTYaqT+1jAzMSvYbGGQyNGuLVPRvs5MilzlriQNlQMz0YtoZLyv8uDJ G5DD2PcBiB4CrrIJSnaxNwfH0/PkFJaQX5Clk= MIME-Version: 1.0 Received: by 10.20.30.40 with SMTP id t8mr3592672ybm.249.1305119926536; Wed, 11 May 2011 06:00:00 -0500 (EST) Received: by 10.20.30.50 with HTTP; Wed, 11 May 2011 06:00:00 -0500 (EST) Date: Wed, 11 May 2011 08:18:46 -0500 Message-ID: <[email protected]> Subject: nessus exim_4_76.nasl From: ' + sentFrom + ' To: ' + sentTo + ' Content-Type: multipart/alternative; boundary=001b24be1bac9c498e04a2ffe9de --001b24be1bac9c498e04a2ffe9de Content-Type: text/plain; charset=ISO-8859-1 ' + rand_str(length:18) + ' --001b24be1bac9c498e04a2ffe9de Content-Type: text/html; charset=ISO-8859-1 ' + rand_str(length:18) + ' --001b24be1bac9c498e04a2ffe9de-- .\r\n '; send(socket:soc, data:s); res = smtp_recv_line(socket:soc); smtp_close(socket:soc); if ("421 Unexpected" >< res) { security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "Exim SMTP Server", port);NASL family Fedora Local Security Checks NASL id FEDORA_2011-7047.NASL description This update fixes two remote execution exploits in DKIM processing code (CVE-2011-1407, CVE-2011-1764). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 54296 published 2011-05-18 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54296 title Fedora 14 : exim-4.76-1.fc14 (2011-7047) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1135-1.NASL description It was discovered that the Exim daemon did not correctly handle certain DKIM identities. A remote attacker could send specially crafted email to run arbitrary code as the Exim user. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 55096 published 2011-06-13 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55096 title Ubuntu 10.04 LTS / 10.10 / 11.04 : exim4 vulnerability (USN-1135-1) NASL family SuSE Local Security Checks NASL id OPENSUSE-2014-482.NASL description Changes in exim : - Silence static checkers; (beo#1506). - update to 4.83 This release of Exim includes one incompatible fix : + the behavior of expansion of arguments to math comparison functions (<, <=, =, =>, >) was unexpected, expanding the values twice; CVE-2014-2972; (bnc#888520) This release contains the following enhancements and bugfixes : + PRDR was promoted from Experimental to mainline + OCSP Stapling was promoted from Experimental to mainline + new Experimental feature Proxy Protocol + new Experimental feature DSN (Delivery Status Notifications) + TLS session improvements + TLS SNI fixes + LDAP enhancements + DMARC fixes (previous CVE-2014-2957) and new $dmarc_domain_policy + several new operations (listextract, utf8clean, md5, sha1) + enforce header formatting with verify=header_names_ascii + new commandline option -oMm + new TLSA dns lookup + new malware last seen 2020-06-05 modified 2014-08-12 plugin id 77126 published 2014-08-12 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77126 title openSUSE Security Update : exim (openSUSE-SU-2014:0983-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2236.NASL description It was discovered that Exim, Debian last seen 2020-03-17 modified 2011-05-13 plugin id 53880 published 2011-05-13 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53880 title Debian DSA-2236-1 : exim4 - command injection NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_36594C547BE711E098380022156E8794.NASL description Release notes for Exim 4.76 says : Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a format-string attack -- SECURITY: remote arbitrary code execution. DKIM signature header parsing was double-expanded, second time unintentionally subject to list matching rules, letting the header cause arbitrary Exim lookups (of items which can occur in lists, *not* arbitrary string expansion). This allowed for information disclosure. Also, impact assessment was redone shortly after the original announcement : Further analysis revealed that the second security was more severe than I realised at the time that I wrote the announcement. The second security issue has been assigned CVE-2011-1407 and is also a remote code execution flaw. For clarity: both issues were introduced with 4.70. last seen 2020-06-01 modified 2020-06-02 plugin id 53907 published 2011-05-16 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53907 title FreeBSD : Exim -- remote code execution and information disclosure (36594c54-7be7-11e0-9838-0022156e8794) NASL family Fedora Local Security Checks NASL id FEDORA_2011-7059.NASL description This update fixes two remote execution exploits in DKIM processing code (CVE-2011-1407, CVE-2011-1764). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 54297 published 2011-05-18 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54297 title Fedora 13 : exim-4.76-1.fc13 (2011-7059) NASL family SuSE Local Security Checks NASL id SUSE_11_3_EXIM-110524.NASL description This update fixes a security issues : - exim remote code exection (CVE-2011-1407) also some safety improvements regarding STARTTLS. last seen 2020-06-01 modified 2020-06-02 plugin id 75484 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75484 title openSUSE Security Update : exim (openSUSE-SU-2011:0535-1) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201401-32.NASL description The remote host is affected by the vulnerability described in GLSA-201401-32 (Exim: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with root privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 72159 published 2014-01-28 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72159 title GLSA-201401-32 : Exim: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2011-7111.NASL description This update fixes two remote execution exploits in DKIM processing code (CVE-2011-1407, CVE-2011-1764). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 54576 published 2011-05-19 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54576 title Fedora 15 : exim-4.76-2.fc15 (2011-7111) NASL family SuSE Local Security Checks NASL id SUSE_11_4_EXIM-110524.NASL description This update fixes a security issues : - exim remote code exection (CVE-2011-1407) also some safety improvements regarding STARTTLS. last seen 2020-06-01 modified 2020-06-02 plugin id 75826 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75826 title openSUSE Security Update : exim (openSUSE-SU-2011:0535-1)