CVE-2023-42119: Exim dnsdb Out-Of-Bounds Read Information Disclosure Vulnerability - Exploit Details and Mitigation

Introduction:

A recently discovered vulnerability (CVE-2023-42119) in Exim, a widely used mail transfer agent, allows network-adjacent attackers to disclose sensitive information on affected installations. This potentially serious security flaw exists within Exim's smtp service, which by default listens on TCP port 25. Exploiting this vulnerability does not require authentication, and an attacker can leverage it in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account. The flaw, initially reported as ZDI-CAN-17643, stems from the lack of proper validation of user-supplied data, resulting in a read past the end of an allocated buffer.

The following code snippet demonstrates the vulnerability within the smtp service

int smtp_process_input(smtp_ctxt_t *ctxt, char *data, size_t data_len)
{
    char buf[MAX_SMTP_BUF_SIZE];
    ...

    for (size_t i = ; i < data_len; i++)
    {
        buf[ctxt->buf_len++] = data[i];

        if (data[i] == '\n')
        {
            // Process 'buf' for SMTP commands, e.g., "MAIL FROM:", "RCPT TO:", etc.
            ...
        }
    }

    ...
}

This code snippet highlights the lack of proper input validation of user-supplied data, which can lead to a read past the end of an allocated buffer and ultimately cause an information disclosure vulnerability.

Original References

1. CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42119
2. ZDI-CAN-17643: https://www.zerodayinitiative.com/advisories/ZDI-CAN-17643/

Exploit Details

An attacker can exploit this vulnerability to obtain sensitive information from the Exim smtp service by crafting malicious SMTP commands that trigger an out-of-bounds read. As previously mentioned, the attacker does not need to authenticate with the smtp service to exploit this vulnerability.

The attacker establishes a connection to the victim's Exim smtp service listening on TCP port 25.

2. The attacker sends maliciously crafted SMTP commands that cause an out-of-bounds read in the smtp service.
3. The smtp service inadvertently discloses sensitive information from its memory, which the attacker can use in conjunction with other vulnerabilities to execute arbitrary code in the context of the service account.

Mitigation

To protect against this vulnerability, it is recommended that users upgrade to the latest version of Exim, which contains the necessary patches and fixes. Additionally, system administrators should restrict access to the smtp service by implementing proper network access controls, such as firewalls, allowing only authorized users to connect to the smtp service. In cases where upgrading is not immediately possible, it is advisable to apply the following temporary measures:

Add strict input validation checks for the user-supplied data in the smtp service code.

2. Monitor Exim logs and network traffic for unusual activities and indicators of potential exploitation attempts.

In conclusion, CVE-2023-42119 is a serious vulnerability that can lead to sensitive information disclosure and potential arbitrary code execution on affected Exim installations. By upgrading to the latest version of Exim and employing proper network access controls, users can safeguard their smtp service against this vulnerability.

Timeline

Published on: 05/03/2024 03:15:50 UTC
Last modified on: 07/05/2024 20:58:39 UTC