Remote Exim Exploit In the Wild

An anonymous reader sends word of a remote exploit in the wild against the Exim mail agent. The news comes on the exim mailing list, where a user posted that he had his exim install hacked via remote exploit giving the attacker the privilege of the mailnull user, which can lead to other possible attacks. A note up at the Internet Storm Center reminds exim users how to set up to run in unprivileged mode, and a commenter includes recompile instructions for Debian exim for added safety. The security press hasn't picked up on this story so far.

Was fixed in 4.70 according to Mailing List

[gQuigs]

http://www.exim.org/lurker/message/20101210.071922.233697ac.en.html

"Paul Fisher and I have successfully run the exploit against a copy of
Exim running in a debugger on debian lenny, and we believe it utilizes
this bug:

http://bugs.exim.org/show_bug.cgi?id=787

It was fixed in 4.70, but not in the version currently in debian
stable.

James E. Blair
UC Berkeley"

Re:Was fixed in 4.70 according to Mailing List

[John+Hasler]

It was fixed in 4.70, but not in the version currently in debian stable.

Debian has released a DSA and a fixed version for Stable. See Debian Security Advisory DSA-2131-1 and Debian Security .

Re:Was fixed in 4.70 according to Mailing List

[Rockoon]

Security through obscurity.

Re:Was fixed in 4.70 according to Mailing List

[MobileTatsu-NJG]

Boring target.

Debian patched it today

[domatic]

Debian released patches this morning for it.

exim4 (4.69-9+lenny1) stable-security; urgency=high

    * Non-maintainer upload by the Security Team.
    * Fix SMTP file descriptors being leaked to processes invoked with ${run...}
    * Fix memory corruption issue in string_format(). CVE-2010-4344
    * Fix potential memory pool corruption issue in internal_lsearch_find().

  -- Stefan Fritsch Fri, 10 Dec 2010 13:25:07 +0100