The exim setuid executable contains unchecked setuid() calls. If an attacker is able to exceed the exim user's resource limits, the setuid() call could fail, preventing the executable from dropping root privileges. If an attacker gains access to the exim user (via another exploit), they could potentially overwrite arbitrary system files with a symlink. The files would contain an email message, which could potentially be used to execute arbitrary code as root.
Acknowledgements: Red Hat would like to thank Phil Pennock for reporting this issue.
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0017 to the following vulnerability: Name: CVE-2011-0017 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0017 Assigned: 20101207 Reference: URL: http://lists.exim.org/lurker/message/20110126.034702.4d69c278.en.html Reference: CONFIRM:ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74 Reference: URL: http://www.debian.org/security/2011/dsa-2154 Reference: URL: http://www.securityfocus.com/bid/46065 Reference: URL: http://osvdb.org/70696 Reference: URL: http://secunia.com/advisories/43101 Reference: URL: http://secunia.com/advisories/43128 Reference: URL: http://www.vupen.com/english/advisories/2011/0224 Reference: URL: http://www.vupen.com/english/advisories/2011/0245 Reference: URL: http://xforce.iss.net/xforce/xfdb/65028 The open_log function in log.c in Exim 4.72 and earlier does not check the return value from (1) setuid or (2) setgid system calls, which allows local users to append log data to arbitrary files via a symlink attack. Exim 4.74 is available to fix this.