Vulmon
<!--X-Body-Begin-->
<!--X-User-Header-->
oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->
By Date
By Thread
</form>
<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
[CVE-2020-28018] Use-After-Free on Exim Question
<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->
From: null p0int3r <nullp0int3rx () gmail com>
Date: Tue, 11 May 2021 13:23:43 +0200
<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->
<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
Hi,
I have a question to the Qualys researchers that discovered and
successfully achieved RCE on CVE-2020-28018 (Use-After-Free vulnerability
on tls-openssl.c).
This question is nor avisory related nor vulnerability discovery but about
exploitation, so I am not sure if it is on the scope of this mailing list.
I am developing a Proof-of-Concept exploit for the previously mentioned bug.
I know once you reach tls_write() again, the UAF is lost as the pointer is
NULL'ed
"- finally, we send a MAIL FROM command whose response overwrites Exim's
configuration with our arbitrary "${run{...}}" (which is eventually
executed by expand_string())."
In the advisory it says that you sent a second "MAIL FROM" command to the
server so the response on tls_write() is written to the area pointed to by
the s pointer on the UAF'ed gstring struct.
So I suppose that command is the first you send after the second "STARTTLS"
command being sent right?
I was able to overwrite gstring struct using a "MAIL FROM" command but
after the "STARTTLS", which makes it difficult to use the same response for
it to overwrite the target buffer as a NULL byte not allowed message is
returned instead.
So my question in summary, you corrupted the gstring struct before the
STARTTLS and then sent another MAIL FROM command after the STARTTLS? Or you
used two "MAIL FROM" commands after the STARTTLS or a pipelined one both
after?
I guess pipelining cannot be used as you would first need a EHLO response
saying the PIPELINING module is available. Doing so requires the use of
tls_write() which means breaking the UAF.
PD: Congrats for those nice bugs discovered.
Thanks
<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->
<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->
By Date
By Thread
Current thread:
[CVE-2020-28018] Use-After-Free on Exim Question null p0int3r (May 11)
Re: [CVE-2020-28018] Use-After-Free on Exim Question Solar Designer (May 11)
Re: [CVE-2020-28018] Use-After-Free on Exim Question Qualys Security Advisory (May 11)
Re: [CVE-2020-28018] Use-After-Free on Exim Question null p0int3r (May 11)
Re: [CVE-2020-28018] Use-After-Free on Exim Question Qualys Security Advisory (May 11)
Re: [CVE-2020-28018] Use-After-Free on Exim Question harris.johnson.x (May 12)
Re: [CVE-2020-28018] Use-After-Free on Exim Question Qualys Security Advisory (May 12)
<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->