xorl %eax, %eax

CVE-2011-1764: Exim DKIM Signatures Remote Format String

with one comment

A couple of minutes ago I noticed this tweet by Joshua J. Drake (aka jduck). This is a really interesting vulnerability of Exim MTA. So, as we can read in the bug report, the issue was reported by John R. Levine as a misinterpretation of DKIM signatures. A closer look in src/dkim.c reveals that this was a classic format string vulnerability.

void dkim_exim_verify_finish(void) {
   pdkim_signature *sig = NULL;
   int dkim_signers_size = 0;
   int dkim_signers_ptr = 0;
   dkim_signers = NULL;
   /* Delete eventual previous signature chain */
   dkim_signatures = NULL;
     /* Log a line for each signature */
     uschar *logmsg = string_append(NULL, &size, &ptr, 5,
      string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ",
                      (sig->canon_headers == PDKIM_CANON_SIMPLE)?"simple":"relaxed",
                      (sig->canon_body    == PDKIM_CANON_SIMPLE)?"simple":"relaxed",
                      (sig->algo          == PDKIM_ALGO_RSA_SHA256)?"rsa-sha256":"rsa-sha1"
    logmsg[ptr] = '\0';
    log_write(0, LOG_MAIN, (char *)logmsg);

As you can clearly see, the buffer (logmsg) passed to log_write() is derived from (partially) user controlled data. Since there is no format string specifier in log_write(), a user could trigger a common format string vulnerability by using such specifiers. The fix was quite obvious…

-    log_write(0, LOG_MAIN, (char *)logmsg);
+    log_write(0, LOG_MAIN, "DKIM: %s", logmsg);

Also, since the “DKIM:” string was moved to log_write() it was removed from the initial string_sprintf() shown earlier…

-      string_sprintf( "DKIM: d=%s s=%s c=%s/%s a=%s ",
+      string_sprintf( "d=%s s=%s c=%s/%s a=%s ",

Written by xorl

May 6, 2011 at 23:49

Posted in vulnerabilities

One Response

Subscribe to comments with RSS.

  1. I wonder if an exploit exists for this bug, the logmsg is on heap, what do you think?
    I worked alot on it, I found out some attack vectors, but always some issues in each.


    August 10, 2011 at 22:26

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: