Hi folks,
several bugs in Exim make the administrators busy and it seems, the
vulnerabilities are already exploited in the real world.
The hacks are employing vulnerabilities of Exim's AUTH NTLM
authentication and MTAs are tried unsolicited to trigger the bug.
While qmail's and s/qmail's authentication is in principle not affected
from the bug, I found a misbehaviour which may trigger a segfault of
qmail-smtpd in case 'AUTH NTLM' is tried (which is never offered, of
course):
The usual code in qmail-smtpd.c for authentication looks like this:
------
~ line 1500:
i = str_chr(cmd,' '); /* get AUTH type */
arg = cmd + i;
while (*arg == ' ') ++arg;
cmd[i] = 0;
for (i = 0; authcmds[i].text; ++i)
if (case_equals(authcmds[i].text,cmd)) break;
if (!stralloc_copys(&authmethod,authcmds[i].text)) die_nomem();
if (!stralloc_0(&authmethod)) die_nomem();
------
You need to test additionally for 'authcmds[i].text'. Thus:
------
~ line 1500:
i = str_chr(cmd,' '); /* get AUTH type */
arg = cmd + i;
while (*arg == ' ') ++arg;
cmd[i] = 0;
for (i = 0; authcmds[i].text; ++i)
if (case_equals(authcmds[i].text,cmd)) break;
if (!authcmds[i].text) /* Minimal patch */
if (!stralloc_copys(&authmethod,authcmds[i].text)) die_nomem();
if (!stralloc_0(&authmethod)) die_nomem();
------
Please take care!
Regards.
--eh.
--
Dr. Erwin Hoffmann | www.fehcom.de
PGP key-id: 20FD6E671A94DC1E
PGP key-fingerprint: 8C6B 155B 0FDA 64F1 BCCE A6B9 20FD 6E67 1A94 DC1E
several bugs in Exim make the administrators busy and it seems, the
vulnerabilities are already exploited in the real world.
The hacks are employing vulnerabilities of Exim's AUTH NTLM
authentication and MTAs are tried unsolicited to trigger the bug.
While qmail's and s/qmail's authentication is in principle not affected
from the bug, I found a misbehaviour which may trigger a segfault of
qmail-smtpd in case 'AUTH NTLM' is tried (which is never offered, of
course):
The usual code in qmail-smtpd.c for authentication looks like this:
------
~ line 1500:
i = str_chr(cmd,' '); /* get AUTH type */
arg = cmd + i;
while (*arg == ' ') ++arg;
cmd[i] = 0;
for (i = 0; authcmds[i].text; ++i)
if (case_equals(authcmds[i].text,cmd)) break;
if (!stralloc_copys(&authmethod,authcmds[i].text)) die_nomem();
if (!stralloc_0(&authmethod)) die_nomem();
------
You need to test additionally for 'authcmds[i].text'. Thus:
------
~ line 1500:
i = str_chr(cmd,' '); /* get AUTH type */
arg = cmd + i;
while (*arg == ' ') ++arg;
cmd[i] = 0;
for (i = 0; authcmds[i].text; ++i)
if (case_equals(authcmds[i].text,cmd)) break;
if (!authcmds[i].text) /* Minimal patch */
if (!stralloc_copys(&authmethod,authcmds[i].text)) die_nomem();
if (!stralloc_0(&authmethod)) die_nomem();
------
Please take care!
Regards.
--eh.
--
Dr. Erwin Hoffmann | www.fehcom.de
PGP key-id: 20FD6E671A94DC1E
PGP key-fingerprint: 8C6B 155B 0FDA 64F1 BCCE A6B9 20FD 6E67 1A94 DC1E