Vulnerabilities > CVE-2011-1764 - USE of Externally-Controlled Format String vulnerability in Exim
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim before 4.76 might allow remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by an identity field containing a % (percent) character.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Nessus
NASL family SMTP problems NASL id EXIM_4_76.NASL description Based on its response to a specially formatted mail message, the Exim mail server listening on this port appears to be affected by a format string vulnerability. The vulnerability is due to a failure in the dkim_exim_verify_finish() function to properly sanitize format string specifiers in the DKIM-Signature header. A remote attacker can exploit this by sending a specially crafted email, resulting in the execution of arbitrary code as the Exim run-time user. last seen 2020-06-01 modified 2020-06-02 plugin id 53856 published 2011-05-10 reporter This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53856 title Exim < 4.76 dkim_exim_verify_finish() DKIM-Signature Header Format String code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(53856); script_version("1.15"); script_cvs_date("Date: 2018/07/10 14:27:33"); script_cve_id("CVE-2011-1407", "CVE-2011-1764"); script_bugtraq_id(47736, 47836); script_name(english:"Exim < 4.76 dkim_exim_verify_finish() DKIM-Signature Header Format String"); script_summary(english:"Attempts to trigger a logging error with a specially crafted message."); script_set_attribute(attribute:"synopsis", value: "The remote mail server is potentially affected by a format string vulnerability."); script_set_attribute(attribute:"description", value: "Based on its response to a specially formatted mail message, the Exim mail server listening on this port appears to be affected by a format string vulnerability. The vulnerability is due to a failure in the dkim_exim_verify_finish() function to properly sanitize format string specifiers in the DKIM-Signature header. A remote attacker can exploit this by sending a specially crafted email, resulting in the execution of arbitrary code as the Exim run-time user."); script_set_attribute(attribute:"see_also", value:"ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.76"); script_set_attribute(attribute:"see_also", value:"https://lists.exim.org/lurker/message/20110506.112357.e99a8db1.en.html"); script_set_attribute(attribute:"see_also", value:"http://bugs.exim.org/show_bug.cgi?id=1106"); script_set_attribute(attribute:"solution", value:"Upgrade to Exim 4.76 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2011/05/06"); script_set_attribute(attribute:"patch_publication_date", value:"2011/05/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/05/10"); script_set_attribute(attribute:"cpe", value:"cpe:/a:exim:exim"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"SMTP problems"); script_copyright(english:"This script is Copyright (C) 2011-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("smtpserver_detect.nasl"); script_require_ports("Services/smtp", 25); exit(0); } include("global_settings.inc"); include("misc_func.inc"); include("smtp_func.inc"); include("audit.inc"); include("data_protection.inc"); port = get_service(svc:"smtp", default:25, exit_on_fail:TRUE); if (report_paranoia < 2) { banner = get_smtp_banner(port:port); if (!banner) audit(AUDIT_NO_BANNER, port); if ("Exim" >!< banner) audit(AUDIT_NOT_LISTEN, "Exim SMTP server", port); } soc = smtp_open(port:port, helo:"nessus"); if (isnull(soc)) audit(AUDIT_SOCK_FAIL, port); sentFrom = smtp_from_header(); if (sentFrom !~ ' *<.*> *') sentFrom = strcat('<', sentFrom, '>'); s = 'MAIL FROM: ' + sentFrom; send(socket:soc, data:s+'\r\n'); res = smtp_recv_line(socket:soc); if (!ereg(pattern:"^2[0-9][0-9] ", string:res)) { smtp_close(socket:soc); audit(AUDIT_RESP_BAD, port, s); } sentTo = smtp_to_header(); if (sentTo !~ ' *<.*> *') sentTo = strcat('<', sentTo, '>'); s = 'RCPT TO: ' + sentTo; send(socket:soc, data:s+'\r\n'); res = smtp_recv_line(socket:soc); if (!ereg(pattern:"^2[0-9][0-9] ", string:res)) { # If we don't have a valid email and are paranoid, do a banner # version check and report if it is vulnerable, otherwise # output why we can't test the server. smtp_close(socket:soc); if (report_paranoia >= 2) { banner = get_smtp_banner(port: port); match = eregmatch(string:banner, pattern:"Exim ([0-9.]+)"); if (!isnull(match) && !isnull(match[1])) { version = match[1]; if (ver_compare(ver:version, fix:"4.76", strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Detected version : ' + version + '\n Fixed version : 4.76' + '\n\nNote that since this is a paranoid scan, Nessus is simply checking' + '\nthe version reported in the SMTP banner. The relevant security patches' + '\nmay have been backported to this version of Exim.'; security_hole(port:port, extra:report); } else security_hole(port); exit(0); } } } exit(0, "The SMTP server listening on port " + port + " did not accept " + sentTo + " as a recipient email address, so Nessus cannot test if the server is vulnerable."); } s = 'DATA'; send(socket:soc, data:s+'\r\n'); res = smtp_recv_line(socket:soc); if (!ereg(pattern:"^3[0-9][0-9] ", string:res)) { smtp_close(socket:soc); audit(AUDIT_RESP_BAD, port, s); } s = 'Received: by yie12 with SMTP id 12so190696yie.13 for ' + sentTo + '; Wed, 11 May 2011 06:18:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=%500\x41\x41\x41\x41\x90\xcc; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=4+g71bvahrOIdgAhK4QD/CMmWBPBAvCruof/ZhV//9w=; b=TnH5TyLdO0YfhL8AikMmTDd8+sy5alXPU0aUOeSssCDrVQlGixnxAMLjPrcuSUj2PU 9zJKX0XbKk1od1xJiD9dQlpfWWe9l8WVODU/hmIIpy3fpDkuYDNAd0XUipEYfFbUI4Qu jx+ZWRaFXf1dEdoLqoPKo+1H5AbSxSGXMK12o= DomainKey-Signature: a=rsa-sha1; c=nofws; d=%500\x41\x41\x41\x41\x90\xcc; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=M7SLRBsvj5q14K6eA5D0eehxMpL2YjdAb8ggBaRy97WwomH/4BMAGtu02CTazxZGFA DBsIi6F6f9F0pzTYaqT+1jAzMSvYbGGQyNGuLVPRvs5MilzlriQNlQMz0YtoZLyv8uDJ G5DD2PcBiB4CrrIJSnaxNwfH0/PkFJaQX5Clk= MIME-Version: 1.0 Received: by 10.20.30.40 with SMTP id t8mr3592672ybm.249.1305119926536; Wed, 11 May 2011 06:00:00 -0500 (EST) Received: by 10.20.30.50 with HTTP; Wed, 11 May 2011 06:00:00 -0500 (EST) Date: Wed, 11 May 2011 08:18:46 -0500 Message-ID: <[email protected]> Subject: nessus exim_4_76.nasl From: ' + sentFrom + ' To: ' + sentTo + ' Content-Type: multipart/alternative; boundary=001b24be1bac9c498e04a2ffe9de --001b24be1bac9c498e04a2ffe9de Content-Type: text/plain; charset=ISO-8859-1 ' + rand_str(length:18) + ' --001b24be1bac9c498e04a2ffe9de Content-Type: text/html; charset=ISO-8859-1 ' + rand_str(length:18) + ' --001b24be1bac9c498e04a2ffe9de-- .\r\n '; send(socket:soc, data:s); res = smtp_recv_line(socket:soc); smtp_close(socket:soc); if ("421 Unexpected" >< res) { security_hole(port); exit(0); } else audit(AUDIT_LISTEN_NOT_VULN, "Exim SMTP Server", port);NASL family Fedora Local Security Checks NASL id FEDORA_2011-7047.NASL description This update fixes two remote execution exploits in DKIM processing code (CVE-2011-1407, CVE-2011-1764). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 54296 published 2011-05-18 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54296 title Fedora 14 : exim-4.76-1.fc14 (2011-7047) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2232.NASL description It was discovered that Exim, the default mail transport agent in Debian, uses DKIM data obtain from DNS directly in a format string, potentially allowing malicious mail senders to execute arbitrary code. (CVE-2011-1764 ) The oldstable distribution (lenny) is not affected by this problem because it does not contain DKIM support. last seen 2020-03-17 modified 2011-05-09 plugin id 53833 published 2011-05-09 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53833 title Debian DSA-2232-1 : exim4 - format string vulnerability NASL family SuSE Local Security Checks NASL id OPENSUSE-2012-738.NASL description This update fixes a remotely exploitable overflow in DKIM handling. last seen 2020-06-05 modified 2014-06-13 plugin id 74790 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74790 title openSUSE Security Update : exim (openSUSE-SU-2012:1404-1) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1130-1.NASL description It was discovered that the Exim daemon did not correctly handle format strings in DKIM headers. An unauthenticated remote attacker could send specially crafted email to run arbitrary code as the Exim user. The default compiler options for affected releases reduces the vulnerability to a denial of service under most conditions. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 55091 published 2011-06-13 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/55091 title Ubuntu 10.04 LTS / 10.10 / 11.04 : exim4 vulnerability (USN-1130-1) NASL family SuSE Local Security Checks NASL id SUSE_11_3_EXIM-110506.NASL description This exim security update fixes importer string handling in DKIM signatures. (CVE-2011-1764) last seen 2020-06-01 modified 2020-06-02 plugin id 75483 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75483 title openSUSE Security Update : exim (openSUSE-SU-2011:0456-1) NASL family SuSE Local Security Checks NASL id SUSE_11_4_EXIM-110506.NASL description This exim security update fixes importer string handling in DKIM signatures. (CVE-2011-1764) last seen 2020-06-01 modified 2020-06-02 plugin id 75825 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/75825 title openSUSE Security Update : exim (openSUSE-SU-2011:0456-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_36594C547BE711E098380022156E8794.NASL description Release notes for Exim 4.76 says : Bugzilla 1106: CVE-2011-1764 - DKIM log line was subject to a format-string attack -- SECURITY: remote arbitrary code execution. DKIM signature header parsing was double-expanded, second time unintentionally subject to list matching rules, letting the header cause arbitrary Exim lookups (of items which can occur in lists, *not* arbitrary string expansion). This allowed for information disclosure. Also, impact assessment was redone shortly after the original announcement : Further analysis revealed that the second security was more severe than I realised at the time that I wrote the announcement. The second security issue has been assigned CVE-2011-1407 and is also a remote code execution flaw. For clarity: both issues were introduced with 4.70. last seen 2020-06-01 modified 2020-06-02 plugin id 53907 published 2011-05-16 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53907 title FreeBSD : Exim -- remote code execution and information disclosure (36594c54-7be7-11e0-9838-0022156e8794) NASL family Fedora Local Security Checks NASL id FEDORA_2011-7059.NASL description This update fixes two remote execution exploits in DKIM processing code (CVE-2011-1407, CVE-2011-1764). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 54297 published 2011-05-18 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54297 title Fedora 13 : exim-4.76-1.fc13 (2011-7059) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201401-32.NASL description The remote host is affected by the vulnerability described in GLSA-201401-32 (Exim: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Exim. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could possibly execute arbitrary code with root privileges, or cause a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 72159 published 2014-01-28 reporter This script is Copyright (C) 2014-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/72159 title GLSA-201401-32 : Exim: Multiple vulnerabilities NASL family Fedora Local Security Checks NASL id FEDORA_2011-7111.NASL description This update fixes two remote execution exploits in DKIM processing code (CVE-2011-1407, CVE-2011-1764). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 54576 published 2011-05-19 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/54576 title Fedora 15 : exim-4.76-2.fc15 (2011-7111)
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624670
- http://bugs.exim.org/show_bug.cgi?id=1106
- http://git.exim.org/exim.git/commit/337e3505b0e6cd4309db6bf6062b33fa56e06cf8
- http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html
- http://secunia.com/advisories/51155
- http://www.debian.org/security/2011/dsa-2232
- https://bugzilla.redhat.com/show_bug.cgi?id=702474