Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <CAOni+oNB4JCe+Z=V+_bQGHBJ-HfN0AwVLC_H0qwVBsF0KKEoYQ@mail.gmail.com>
Date: Tue, 11 May 2021 13:23:43 +0200
From: null p0int3r <nullp0int3rx@...il.com>
To: oss-security@...ts.openwall.com
Subject: [CVE-2020-28018] Use-After-Free on Exim Question

Hi,

I have a question to the Qualys researchers that discovered and
successfully achieved RCE on CVE-2020-28018 (Use-After-Free vulnerability
on tls-openssl.c).

This question is nor avisory related nor vulnerability discovery but about
exploitation, so I am not sure if it is on the scope of this mailing list.

I am developing a Proof-of-Concept exploit for the previously mentioned bug.

I know once you reach tls_write() again, the UAF is lost as the pointer is
NULL'ed

"- finally, we send a MAIL FROM command whose response overwrites Exim's

  configuration with our arbitrary "${run{...}}" (which is eventually
  executed by expand_string())."

In the advisory it says that you sent a second "MAIL FROM"  command to the
server so the response on tls_write() is written to the area pointed to by
the s pointer on the UAF'ed gstring struct.

So I suppose that command is the first you send after the second "STARTTLS"
command being sent right?

I was able to overwrite gstring struct using a "MAIL FROM" command but
after the "STARTTLS", which makes it difficult to use the same response for
it to overwrite the target buffer as a NULL byte not allowed message is
returned instead.

So my question in summary, you corrupted the gstring struct before the
STARTTLS and then sent another MAIL FROM command after the STARTTLS? Or you
used two "MAIL FROM" commands after the STARTTLS or a pipelined one both
after?

I guess pipelining cannot be used as you would first need a EHLO response
saying the PIPELINING module is available. Doing so requires the use of
tls_write() which means breaking the UAF.

PD: Congrats for those nice bugs discovered.

Thanks

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.