|
Message-ID: <CAOni+oNB4JCe+Z=V+_bQGHBJ-HfN0AwVLC_H0qwVBsF0KKEoYQ@mail.gmail.com> Date: Tue, 11 May 2021 13:23:43 +0200 From: null p0int3r <nullp0int3rx@...il.com> To: oss-security@...ts.openwall.com Subject: [CVE-2020-28018] Use-After-Free on Exim Question Hi, I have a question to the Qualys researchers that discovered and successfully achieved RCE on CVE-2020-28018 (Use-After-Free vulnerability on tls-openssl.c). This question is nor avisory related nor vulnerability discovery but about exploitation, so I am not sure if it is on the scope of this mailing list. I am developing a Proof-of-Concept exploit for the previously mentioned bug. I know once you reach tls_write() again, the UAF is lost as the pointer is NULL'ed "- finally, we send a MAIL FROM command whose response overwrites Exim's configuration with our arbitrary "${run{...}}" (which is eventually executed by expand_string())." In the advisory it says that you sent a second "MAIL FROM" command to the server so the response on tls_write() is written to the area pointed to by the s pointer on the UAF'ed gstring struct. So I suppose that command is the first you send after the second "STARTTLS" command being sent right? I was able to overwrite gstring struct using a "MAIL FROM" command but after the "STARTTLS", which makes it difficult to use the same response for it to overwrite the target buffer as a NULL byte not allowed message is returned instead. So my question in summary, you corrupted the gstring struct before the STARTTLS and then sent another MAIL FROM command after the STARTTLS? Or you used two "MAIL FROM" commands after the STARTTLS or a pipelined one both after? I guess pipelining cannot be used as you would first need a EHLO response saying the PIPELINING module is available. Doing so requires the use of tls_write() which means breaking the UAF. PD: Congrats for those nice bugs discovered. Thanks
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.