Exim vulnerability

Updated 12/26/01
CVE 2001-0690

Impact

If this vulnerability exists, a remote attacker could execute arbitrary commands.

Background

Exim is a mail transfer agent (MTA) for Unix systems. Like other MTA's such as Sendmail, it processes incoming and outgoing e-mail messages in accordance with the Simple Mail Transfer Protocol (SMTP).

The Problem

There are two possible vulnerabilities in Exim.

12/26/01
The first vulnerability is in the processing of incoming e-mail in which the local part of the address begins with a pipe (|) character. A remote attacker could execute arbitrary commands by embedding the commands in the destination e-mail address. This vulnerability is only exploitable with a run-time configuration which routes mail directly to a pipe before performing any checking of the local part of the address. It is not exploitable through alias or .forward files. Nor is it likely to be exploitable if receiver_verify is enabled and the director for the pipe has no_verify enabled.

Exim versions prior to 3.34 are affected by this vulnerability.

6/18/01
CVE 2001-0690
The second vulnerability is in the portion of code which checks the syntax of e-mail message headers. Due to a format string vulnerability in the logging of errors produced by this check, it could be possible for a remote attacker to execute arbitrary commands.

This vulnerability is present in Exim versions prior to 3.12-10.1. It is only exploitable if the header syntax check is turned on. It is not exploitable by default.

Resolution

Download and install the latest version of Exim.

Where can I read more about this?

More information about the pipe command execution vulnerability is available from Bugtraq. More information about the format string vulnerability is available from Debian Security Announcement 058-1.