Bug 670945 (CVE-2011-0017) - CVE-2011-0017 Exim: privilege escalation
Summary: CVE-2011-0017 Exim: privilege escalation
Keywords:
Status: CLOSED WONTFIX
Alias: CVE-2011-0017
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-01-19 18:21 UTC by Josh Bressers
Modified: 2023-05-12 11:54 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-05-31 12:35:53 UTC
Embargoed:


Attachments (Terms of Use)

Description Josh Bressers 2011-01-19 18:21:23 UTC
The exim setuid executable contains unchecked setuid() calls. If an
attacker is able to exceed the exim user's resource limits, the setuid()
call could fail, preventing the executable from dropping root privileges.

If an attacker gains access to the exim user (via another exploit), they
could potentially overwrite arbitrary system files with a symlink. The
files would contain an email message, which could potentially be used to execute arbitrary code as root.

Comment 1 Josh Bressers 2011-01-19 18:22:26 UTC
Acknowledgements:

Red Hat would like to thank Phil Pennock for reporting this issue.

Comment 2 Vincent Danen 2011-02-02 16:15:29 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2011-0017 to
the following vulnerability:

Name: CVE-2011-0017
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0017
Assigned: 20101207
Reference: URL: http://lists.exim.org/lurker/message/20110126.034702.4d69c278.en.html
Reference: CONFIRM:ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.74
Reference: URL: http://www.debian.org/security/2011/dsa-2154
Reference: URL: http://www.securityfocus.com/bid/46065
Reference: URL: http://osvdb.org/70696
Reference: URL: http://secunia.com/advisories/43101
Reference: URL: http://secunia.com/advisories/43128
Reference: URL: http://www.vupen.com/english/advisories/2011/0224
Reference: URL: http://www.vupen.com/english/advisories/2011/0245
Reference: URL: http://xforce.iss.net/xforce/xfdb/65028

The open_log function in log.c in Exim 4.72 and earlier does not check
the return value from (1) setuid or (2) setgid system calls, which
allows local users to append log data to arbitrary files via a symlink
attack.


Exim 4.74 is available to fix this.


Note You need to log in before you can comment on or make changes to this bug.