Published: 05/10/2011 Updated: 21/02/2014

CVSS v2 Base Score: 7.5 | Impact Score: 6.4 | Exploitability Score: 10

VMScore: 780

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Format string vulnerability in the dkim_exim_verify_finish function in src/dkim.c in Exim prior to 4.76 might allow remote malicious users to execute arbitrary code or cause a denial of service (daemon crash) via format string specifiers in data used in DKIM logging, as demonstrated by an identity field containing a % (percent) character.

Vulnerable Product	Search on Vulmon	Subscribe to Product
exim exim 4.50
exim exim 4.44
exim exim 4.63
exim exim 4.62
exim exim 4.61
exim exim 4.21
exim exim 4.22
exim exim 4.41
exim exim 4.40
exim exim 4.03
exim exim 4.02
exim exim 3.32
exim exim 3.31
exim exim 3.14
exim exim 3.13
exim exim 2.12
exim exim 2.11
exim exim 4.74
exim exim
exim exim 4.51
exim exim 4.30
exim exim 4.64
exim exim 4.23
exim exim 4.24
exim exim 4.68
exim exim 4.10
exim exim 4.14
exim exim 4.05
exim exim 4.04
exim exim 3.34
exim exim 3.33
exim exim 3.16
exim exim 3.15
exim exim 3.01
exim exim 3.00
exim exim 4.72
exim exim 4.73
exim exim 4.43
exim exim 4.34
exim exim 4.60
exim exim 4.54
exim exim 4.42
exim exim 4.65
exim exim 4.32
exim exim 4.20
exim exim 4.01
exim exim 4.00
exim exim 3.30
exim exim 3.22
exim exim 3.12
exim exim 3.11
exim exim 2.10
exim exim 4.69
exim exim 4.33
exim exim 4.31
exim exim 4.53
exim exim 4.52
exim exim 4.66
exim exim 4.67
exim exim 4.11
exim exim 4.12
exim exim 3.36
exim exim 3.35
exim exim 3.21
exim exim 3.20
exim exim 3.10
exim exim 3.03
exim exim 3.02
exim exim 4.70
exim exim 4.71

Debian Bug report logs - #624670 exim4 dkim plugin - % in dkim signature logged to paniclog Package: exim4; Maintainer for exim4 is Exim4 Maintainers <pkg-exim4-maintainers@listsaliothdebianorg>; Source for exim4 is src:exim4 (PTS, buildd, popcon) Reported by: Suresh Ramasubramanian <suresh@hserusnet> Date: Sat, ...

Exim could be made to run arbitrary code under some conditions ...

It was discovered that Exim, the default mail transport agent in Debian, uses DKIM data obtain from DNS directly in a format string, potentially allowing malicious mail senders to execute arbitrary code (CVE-2011-1764) The oldstable distribution (lenny) is not affected by this problem because it does not contain DKIM support For the stable distri ...

Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.

nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 <host>

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-vuln-cve2011-1764:
|   VULNERABLE:
|   Exim DKIM format string
|     State: VULNERABLE
|     IDs:  CVE:CVE-2011-1764  BID:47736
|     Risk factor: High  CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
|     Description:
|       Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified
|       Mail (DKIM) support is vulnerable to a format string. A remote attacker
|       who is able to send emails, can exploit this vulnerability and execute
|       arbitrary code with the privileges of the Exim daemon.
|     Disclosure date: 2011-04-29
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1764
|       https://www.securityfocus.com/bid/47736
|_      http://bugs.exim.org/show_bug.cgi?id=1106

Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.

nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 <host>

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-vuln-cve2011-1764:
|   VULNERABLE:
|   Exim DKIM format string
|     State: VULNERABLE
|     IDs:  CVE:CVE-2011-1764  OSVDB:72156
|     Risk factor: High  CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
|     Description:
|       Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified
|       Mail (DKIM) support is vulnerable to a format string. A remote attacker
|       who is able to send emails, can exploit this vulnerability and execute
|       arbitrary code with the privileges of the Exim daemon.
|     Disclosure date: 2011-04-29
|     References:
|       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1764
|       http://osvdb.org/72156
|_      http://bugs.exim.org/show_bug.cgi?id=1106

Scan d'énumération de cibles

Enums_Scan Des Scans d'énumération de cibles, ports et protocoles multiples en bash autoscan_nmap Ce script scanne un réseau ou une @IP nmap -p- --min-rate 1000 "$target" Cette partie de la commande utilise Nmap, un outil d'analyse réseau Il analyse un hôte cible à la recherche de ports ouverts Les options utilis&

CWE-134 https://bugzilla.redhat.com/show_bug.cgi?id=702474 http://git.exim.org/exim.git/commit/337e3505b0e6cd4309db6bf6062b33fa56e06cf8 http://www.debian.org/security/2011/dsa-2232 http://bugs.exim.org/show_bug.cgi?id=1106 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624670 http://secunia.com/advisories/51155 http://lists.opensuse.org/opensuse-security-announce/2011-05/msg00005.html https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=624670 https://usn.ubuntu.com/1130-1/https://nvd.nist.gov

CVE-2011-1764

Vulnerability Summary

Vendor Advisories

Nmap Scripts

Github Repositories

References

Vulmon Search

About

Products

Connect