Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAOni+oNB4JCe+Z=V+_bQGHBJ-HfN0AwVLC_H0qwVBsF0KKEoYQ@mail.gmail.com>
Date: Tue, 11 May 2021 13:23:43 +0200
From: null p0int3r <nullp0int3rx@...il.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2020-28018] Use-After-Free on Exim Question

Hi,

I have a question to the Qualys researchers that discovered and
successfully achieved RCE on CVE-2020-28018 (Use-After-Free vulnerability
on tls-openssl.c).

This question is nor avisory related nor vulnerability discovery but about
exploitation, so I am not sure if it is on the scope of this mailing list.

I am developing a Proof-of-Concept exploit for the previously mentioned bug.

I know once you reach tls_write() again, the UAF is lost as the pointer is
NULL'ed

"- finally, we send a MAIL FROM command whose response overwrites Exim's

  configuration with our arbitrary "${run{...}}" (which is eventually
  executed by expand_string())."

In the advisory it says that you sent a second "MAIL FROM"  command to the
server so the response on tls_write() is written to the area pointed to by
the s pointer on the UAF'ed gstring struct.

So I suppose that command is the first you send after the second "STARTTLS"
command being sent right?

I was able to overwrite gstring struct using a "MAIL FROM" command but
after the "STARTTLS", which makes it difficult to use the same response for
it to overwrite the target buffer as a NULL byte not allowed message is
returned instead.

So my question in summary, you corrupted the gstring struct before the
STARTTLS and then sent another MAIL FROM command after the STARTTLS? Or you
used two "MAIL FROM" commands after the STARTTLS or a pipelined one both
after?

I guess pipelining cannot be used as you would first need a EHLO response
saying the PIPELINING module is available. Doing so requires the use of
tls_write() which means breaking the UAF.

PD: Congrats for those nice bugs discovered.

Thanks

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.