Greetings OSS-Security!
I took a look at that flaw toobut I wonder if there is a good technique to groom the heap to get that allocation
right before the objective data There are some limits on using a MAIL cmd, first u cannot use it if another MAIL cmd
was successful Second it calls smtp_reset() after finished The only way 'd be using RSE ...
Hi,
On Tue, May 11, 2021 at 01:23:43PM +0200, null p0int3r wrote:
Yes! After the second STARTTLS we send an invalid MAIL FROM command (for
example, "MAIL FROM:(\"${run{}}\")\n") Exim then responds with a 501
error message that includes our "${run{}}" string, and since corked
in tls_write() is still non-NULL, this string is written to wher ...
Hi,
On Tue, May 11, 2021 at 11:18:12PM +0200, null p0int3r wrote:
One of the name=value parameters for MAIL FROM is special, because it
can allocate arbitrary (binary) characters (hint: we also used it to
exploit another vulnerability in the advisory)!
With best regards,
--
the Qualys Security Advisory team
[d1dejaj6dcqv24cloudfront ...
Dear Exim-Users
Abstract
--------
Several exploitable vulnerabilities in Exim were reported to us and are
fixed
We have prepared a security release, tagged as "exim-4942"
This release contains all changes on the exim-494+fixes branch plus
security fixes
You should update your Exim instances as soon as possible (See below
for short upgra ...
Hi again!
Thanks for the reply
In addition to my previous question, to leave it more clear
I successfully exploited the Use-After-Free to get Heap Address Leak and
the arbitrary read primitive mentioned in the advisory
Talking about the arbitrary read, I sent a "MAIL FROM" command after the
last "STARTTLS"
When sending it after the START ...
Hi,
I have a question to the Qualys researchers that discovered and
successfully achieved RCE on CVE-2020-28018 (Use-After-Free vulnerability
on tls-opensslc)
This question is nor avisory related nor vulnerability discovery but about
exploitation, so I am not sure if it is on the scope of this mailing list
I am developing a Proof-of-Concept e ...
Hi,
On Wed, May 12, 2021 at 02:46:31PM +0000, harrisjohnsonx wrote:
We first send a large EHLO command to make sure that the next allocation
will overwrite the freed struct gstring, and then we send the MAIL FROM
command (with an AUTH parameter) to actually overwrite the freed struct
gstring (with arbitrary characters)
Hopefully this helps! ...
Qualys Security Advisory
21Nails: Multiple vulnerabilities in Exim
========================================================================
Contents
========================================================================
Summary
Local vulnerabilities
- CVE-2020-28007: Link attack in Exim's log directory
- CVE-2020-28008: Assorted attacks in Ex ...
Hi,
Replying as a list moderator:
On Tue, May 11, 2021 at 01:23:43PM +0200, null p0int3r wrote:
Yes, this is in scope So if anyone (not only the Qualys researchers)
wants to reply for real, please feel free
Alexander ...