Reading: 2722
Exim, the mail transfer agent for Linux, has been exposed to a vulnerability (cve-2018-6789). The vulnerability is due to a buffer overflow in the base64 decoding function. In general, the length of Base64 encoded string is a multiple of 4, but it may cause the length not to be a multiple of 4 in case of transmission or malicious construction, resulting in the length calculation error.
1、 Vulnerability overview
Exim, the mail transfer agent for Linux, has been exposed to a vulnerability (cve-2018-6789). The vulnerability is due to a buffer overflow in the base64 decoding function. In general, the length of Base64 encoded string is a multiple of 4, but it may cause the length not to be a multiple of 4 in case of transmission or malicious construction, resulting in the length calculation error. Through this vulnerability, an attacker can bypass the protection mechanism to execute arbitrary code in the context of the affected application. Failure of an attack attempt can still result in a denial of service.
Exim was exposed in December last year that there are remote code execution (cve-2017-16943) and denial of service (cve-2017-16944) vulnerabilities. Illegal elements will use this application vulnerability to launch large-scale network attacks, such as spreading mining virus or blackmail. It is recommended that affected enterprises upgrade to the latest version in time.
The technology Threat Intelligence Center (NTI) of green alliance shows that the global use of exim is more than one million. This vulnerability affects all versions of exim since its release. It is recommended that the affected users upgrade immediately for protection.
2、 Scope of influence
Affected versions
Exim version 4.90.1
Unaffected version
Exim version = 4.90.1
3、 Causes of loopholes
The standard Base64 encoded string length is an integer multiple of 4, and each 4-bit data will correspond to 3-bit original data after decoding. Assuming the encoded string length is len, the original data length is (len / 4) * 3.
As shown above, exim allocates a byte buffer of length (len / 4 * 3 + 1 + len% 4) to store the decoded Base64 data. If it is normal Base64 encoded data, len% 4 (the remainder of length divided by 4) is always zero. However, if an invalid Base64 string is entered and the length is 4N + 3, exim will allocate three more bytes during decoding, which will lead to overflow.
4、 Vulnerability detection
4.1 manual inspection
Use the command "exim - bv" to view the current version of exim. If our current version is in the affected list, we can confirm that there is a vulnerability.
5、 Protection plan
Version 5.1 upgrade
ftp://mirror.easyname.at/exim-ftp/exim/exim4/
5.2 source compilation and installation
For more information, please refer to the following link:
After code modification, you can edit again. The latest version of project source code can also be downloaded directly to the following link:
Six, statement
7、 About Green Alliance Technology
Beijing Shenzhou Lvmeng Information Security Technology Co., Ltd. (referred to as Lvmeng Technology) was founded in April 2000, with its headquarters in Beijing. More than 30 branches are set up at home and abroad to provide core competitive security products and solutions for government, operators, finance, energy, Internet, education, medical and other industry users, so as to help customers realize the safe and smooth operation of business.
Based on years of security research, Lvmeng technology provides customers with intrusion detection / protection, anti denial of service attack, remote security assessment, web security protection and other products and professional security services in the fields of network and terminal security, Internet basic security, compliance and security management.
Beijing Shenzhou Lvmeng Information Security Technology Co., Ltd. has been listed and traded on the growth enterprise market of Shenzhen Stock Exchange since January 29, 2014. The stock abbreviation: Lvmeng technology, stock code: 300369.