Description
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
- Canonical / Ubuntu Linux6.06 β 6.06
- Canonical / Ubuntu Linux9.10 β 9.10
- Canonical / Ubuntu Linux8.04 β 8.04
- Debian / debian_linux5.0 β 5.0
- Exim / Exim4.70
- openSUSE / opensuse11.3 β 11.3
- openSUSE / opensuse11.2 β 11.2
- openSUSE / opensuse11.1 β 11.1
References
- MAILING_LISThttp://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.html
- MISChttp://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
- MISChttp://bugs.exim.org/show_bug.cgi?id=787
- MISChttp://www.securitytracker.com/id?1024858
- MISChttp://www.redhat.com/support/errata/RHSA-2010-0970.html
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/3186
- MISChttp://www.securityfocus.com/bid/45308
- EXPLOIThttp://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_format
- MISChttp://atmail.com/blog/2010/atmail-6204-now-available/
- VENDOR_ADVISORYhttp://secunia.com/advisories/42576
- VENDOR_ADVISORYhttp://secunia.com/advisories/42587
- MISChttps://bugzilla.redhat.com/show_bug.cgi?id=661756
- MAILING_LISThttp://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.html
- VENDOR_ADVISORYhttp://secunia.com/advisories/40019
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/3172
- MISChttp://www.kb.cert.org/vuls/id/682457
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/3181
- VENDOR_ADVISORYhttp://secunia.com/advisories/42586
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/3317
- VENDOR_ADVISORYhttp://www.ubuntu.com/usn/USN-1032-1
- MISChttp://www.cpanel.net/2010/12/exim-remote-memory-corruption-vulnerability-notification-cve-2010-4344.html
- MISChttp://www.osvdb.org/69685
- MISChttp://www.securityfocus.com/archive/1/515172/100/0/threaded
- MISChttp://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/3246
- MISCftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.70
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/3204
- MISChttp://git.exim.org/exim.git/commit/24c929a27415c7cfc7126c47e4cad39acf3efa6b
- VENDOR_ADVISORYhttp://www.debian.org/security/2010/dsa-2131
- VENDOR_ADVISORYhttp://www.vupen.com/english/advisories/2010/3171
- VENDOR_ADVISORYhttp://secunia.com/advisories/42589
- MAILING_LISThttp://openwall.com/lists/oss-security/2010/12/10/1
- MAILING_LISThttp://www.openwall.com/lists/oss-security/2021/05/04/7