The CVE-2023-42116 vulnerability, a significant security flaw, has been identified in the widely used Exim mail transport agent. It opens the door to remote code execution by exploiting a stack-based buffer overflow in the handling of NTLM (NT LAN Manager) challenge requests. The alarming aspect of this vulnerability is that it does not require authentication for exploitation. The purpose of this lengthy post is to provide an in-depth look at this vulnerability, including details on the exploit, code snippets, and links to original sources. Knowledge about this vulnerability is essential for system administrators and security researchers to address the issue and protect their systems effectively.

Original References

- ZDI-CAN-17515 Advisory
- Exim Official Security Advisory

Vulnerability Details

The root cause of this vulnerability lies in the way Exim processes incoming NTLM challenge requests. A vulnerable Exim mail server, when presented with an NTLM challenge response containing specially crafted data, can overflow a stack-based buffer. It does so because it fails to validate the length of the user-supplied data before copying it to a fixed-length buffer. This overflow paves the way for remote attackers to execute arbitrary code in the context of the service account.

Here's a simplistic example of the vulnerable function in Exim's source code

void process_ntlm_challenge(char *data, int length) {
    char challenge_response[1024];
    
    // ... (other code)
    
    // This line causes the vulnerability - buffer overflow
    memcpy(challenge_response, data, length);
}

Craft an NTLM challenge response containing a long string that overflows the stack buffer.

5. Include malicious code in the overflowed buffer so that it ultimately will be executed by the server.

This attack, if performed successfully, allows an attacker to gain control over the targeted system by executing arbitrary code.

Mitigation

To mitigate this vulnerability, users are urged to upgrade their Exim installations to the latest secure version as soon as possible. The Exim team has released the following patched version that addresses this vulnerability:

- Exim version 4.94.2

Conclusion

The CVE-2023-42116 Exim SMTP Challenge Stack-based Buffer Overflow Remote Code Execution Vulnerability is a severe security issue that puts numerous mail servers at risk. This post has detailed the vulnerability's nature, the steps required to exploit it, and the code snippet that exposes the underlying flaw. It is crucial for administrators to update their Exim installations and apply the necessary patches to prevent potential attacks. As always, staying informed about the latest security vulnerabilities and applying timely updates helps in maintaining a secure system environment.

Timeline

Published on: 05/03/2024 03:15:50 UTC