xorl %eax, %eax

CVE-2011-1764: Exim DKIM Signatures Remote Format String

with one comment

A couple of minutes ago I noticed this tweet by Joshua J. Drake (aka jduck). This is a really interesting vulnerability of Exim MTA. So, as we can read in the bug report, the issue was reported by John R. Levine as a misinterpretation of DKIM signatures. A closer look in src/dkim.c reveals that this was a classic format string vulnerability.

void dkim_exim_verify_finish(void) {
   pdkim_signature *sig = NULL;
   int dkim_signers_size = 0;
   int dkim_signers_ptr = 0;
   dkim_signers = NULL;
 
   /* Delete eventual previous signature chain */
   dkim_signatures = NULL;
 ...
     /* Log a line for each signature */
     uschar *logmsg = string_append(NULL, &size, &ptr, 5,
 
      string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ",
                      sig->domain,
                      sig->selector,
                      (sig->canon_headers == PDKIM_CANON_SIMPLE)?"simple":"relaxed",
                      (sig->canon_body    == PDKIM_CANON_SIMPLE)?"simple":"relaxed",
                      (sig->algo          == PDKIM_ALGO_RSA_SHA256)?"rsa-sha256":"rsa-sha1"
                    ),
 ...
    logmsg[ptr] = '\0';
    log_write(0, LOG_MAIN, (char *)logmsg);
 ...
  }
}

As you can clearly see, the buffer (logmsg) passed to log_write() is derived from (partially) user controlled data. Since there is no format string specifier in log_write(), a user could trigger a common format string vulnerability by using such specifiers. The fix was quite obvious…

-    log_write(0, LOG_MAIN, (char *)logmsg);
+    log_write(0, LOG_MAIN, "DKIM: %s", logmsg);

Also, since the “DKIM:” string was moved to log_write() it was removed from the initial string_sprintf() shown earlier…

 
-      string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ",
+      string_sprintf( "d=%s s=%s c=%s/%s a=%s ",

Written by xorl

May 6, 2011 at 23:49

Posted in bugs

One Response

Subscribe to comments with RSS.

  1. I wonder if an exploit exists for this bug, the logmsg is on heap, what do you think?
    I worked alot on it, I found out some attack vectors, but always some issues in each.

    bloppy

    August 10, 2011 at 22:26


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s