by Ashish Verma
In September, security researchers from the QAX-A-Team discovered the existence of CVE-2019-16928, a vulnerability involving the mail transfer agent Exim. Exim accounts for over 50% of publicly reachable mail servers on the internet. What makes the bug particularly noteworthy is that threat actors could exploit it to perform denial of service (DoS) or possibly even remote code execution attacks (RCE) — making it a serious concern for Exim customers who use vulnerable versions of the software.
The flaw exists in the following Exim versions (earlier versions are not affected):
In this entry, we explain how CVE-2019-16928 can be exploited, specifically, how introducing a heap-based buffer overflow error to the Exim process can be used to gain execution control of it.
During execution in computer memory, local variables are stored in an area of the memory called the stack, which is responsible for storing local variables created by a function. On the other hand, dynamic variables, which are used to allocate and free memory during runtime, are stored in another area of the memory called the heap.
Each local variable points to its value in the heap, which basically means that it points to its memory address containing the value. When a string longer than the dedicated memory is used as an input, it overrides and changes the value in subsequent memory blocks in the heap. Figure 1 depicts this execution flow.
Figure 1. Memory representation during heap buffer overflow
In this scenario, Value 2 can be any string or backdoor command which can be executed during runtime — a process widely known as remote code execution.
As defined by the Internet Engineering Task Force (IETF), the Extended HELO (EHLO) is a command sent by the email client to identify itself and inform the email server that it will use Extended Simple Mail Transfer Protocol (ESMTP) before starting the process of sending an email. It is through EHLO strings that a threat actor could exploit CVE-2019-16928 to perform malicious attacks, such as crashing the Exim process (resulting in DoS). Furthermore, a backdoor command used as an input for EHLO could lead to remote code execution.
This vulnerability is found in the method string_vformat() in string.c. Due to a coding error, the length of the string was not growing by enough, leading to a buffer overflow anomaly. The growth of the string is fixed by adding size from the offset value.
Figure 2. gstring_grow() invocation which allocates more memory to string
As seen in Figure 2, the statement highlighted in red is the flaw in the code. If the difference between g->ptr (the current pointer in string or offset) and (lim – g->ptr) is unreasonably low and the size of the appended string is larger than the allocated memory, then it can lead to heap overflow. A simple fix is found in the next statement.
As of the time of writing, Exim has already released an update (version 4.92.3) that includes fixes for CVE-2019-16928. To prevent any possible issues that might arise from the exploitation of the vulnerability, Exim users should update their software to the latest version.
To strengthen overall security posture further, organizations can also look into security software such as the Trend Micro
This technology also includes the Trend Micro Deep Discovery Inspector, which protects customers from attacks that exploit CVE-2019-16928 via the following rule:
The Trend Micro
Trend Micro
The post CVE-2019-16928: Exploiting an Exim Vulnerability via EHLO Strings appeared first on .
The head of counterintelligence for a division of the Russian Federal Security Service (FSB) was… Read More
For nearly a dozen years, residents of South Carolina have been kept in the dark… Read More
The U.S. government is warning that “smart locks” securing entry to an estimated 50,000 dwellings… Read More
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) said today it is investigating a breach… Read More
On April 9, Twitter/X began automatically modifying links that mention “twitter.com” to read “x.com” instead.… Read More
If only Patch Tuesdays came around infrequently — like total solar eclipse rare — instead… Read More