Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <1012100939540.799@mjc.redhat.com>
Date: Fri, 10 Dec 2010 09:48:20 +0000 (GMT)
From: Mark J Cox <mjc@...hat.com>
To: oss-security@...ts.openwall.com
cc: "Steven M. Christey" <coley@...us.mitre.org>
Subject: Exim remote root

A number of sites are reporting an exim remote root based from this
report:
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html

Quoting David Woodhouse: "There are two bugs here. First a remote exploit 
where the attacker somehow tricks Exim into evaluating data it shouldn't, 
and honouring a ${run {/bin/sh...}} directive which ends up giving the 
attacker a shell (as user 'exim').

Secondly a privilege escalation where the trusted 'exim' user is able to 
tell Exim to use arbitrary config files, in which further ${run ...} 
commands will be invoked as root."
https://bugzilla.redhat.com/show_bug.cgi?id=661756#c3

The remote vulnerability is still being investigated.  However it is worth 
allocating the CVE names now to help with co-ordination.

CVE-2010-4344 exim vuln that allows remote code execution as 'exim'
CVE-2010-4345 exim vuln that allows privilege escalation 'exim' to root

A patch for CVE-2010-4345:
http://lists.exim.org/lurker/message/20101209.172233.abcba158.en.html

Thanks, Mark
--
Mark J Cox / Red Hat Security Response

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.