CVE-2022-37452 Exim before 4.95 has a buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.

CVE-2022-37452 Exim before 4.95 has a buffer overflow for the alias list in host_name_lookup in host.c when sender_host_name is set.

This can be exploited to execute arbitrary code with the privileges of the Exim process on the victim machine.

It is recommended to upgrade Exim as soon as possible. The latest version is 4.95.7 from 2013-08-18. Upgrading Exim is very simple: just download the latest release and extract it somewhere. Then run exim --update where you extract it. After that, you can upgrade Exim by running exim --update again. It is recommended to run exim --dump-config after upgrading Exim to make sure the configuration file is updated. If you are running Exim on a non-standard location, it might be a good idea to move it to a standard location. For example, if you are running Exim on /usr/local/bin, you can move it to /usr/bin as follows: mv /usr/local/bin/exim /usr/bin/ You might also want to change the ownership of the configuration file so that it does not get world-writable permissions.

Exploiting the Vulnerability

The vulnerability is found in the following functions of the Exim server:

* exim_run() (1) which runs a command using the pseudo-user that writes to a file.
* exim_checkconf() (2) which reads in a configuration file and runs commands from it.
* exim_main() (3) which starts up the main loop of processing messages.
* exim_sendmail() (4) which sends email through an SMTP server.
* exim_openpgpverify() (5) for verifying encrypted PGP signatures.
* exim_getuidinfo() (6) for determining what user id is currently logged in on the machine. The function exits immediately if there is no logged-in user, thus executing commands with this user id's privileges.

How to exploit vulnerability?

The vulnerability is easy to exploit for remote attackers. A remote attacker can send a specially crafted email containing a .tcl file to the victim that will cause the Exim process on the victim machine to execute arbitrary code with the privileges of the Exim process.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe