In September end, the researcher discovered a critical vulnerability in the Exim email server that allows attackers to perform DoS attack and even remote code execution to take complete control of the vulnerable server.
The vulnerability affects the Exim version 4.92, 4.92.1, 4.92.2. And the maintenance team behind the E Exim email server has been released a patch for this critical vulnerability and release an update.
A Heap-based buffer overflow that resides in the string_vformat was the main concern for the vulnerability that allows an attacker to override a memory with a backdoor in the Exim mail server. Let’s see how heap overflow works.
Basically local variables are stored in the memory called stack during the computer memory execution process and the stack is also responsible for storing the local variable which is created by the function.
At the same time, the dynamic variable is stored in another part of the memory called Heap and the dynamic variables mainly used to allocate and free memory during runtime.
In the above image, we could see that each local variable(var1, var 2) points to its value in the heap and it points to its memory address containing the value.
In this case, let’s assume that the string is longer than the dedicated memory and it is used as an input, it overrides and changes the value in subsequent memory blocks in the heap.
During the overriding process, an attacker can implant any string or backdoor command in runtime and this process called remote code execution.
Exploit the vulnerability Using EHLO strings
EHLO is a type of command that is used in the process of sending an email. by an email, the client to inform the email server that it will use the Extended Simple Mail Transfer Protocol.
The vulnerability resides in the method string_vformat() in the string.c and the length of the string was not growing by enough due to the code error which leads to a buffer overflow.
“the statement highlighted in red is the flaw in the code. If the difference between g->ptr (the current pointer in a string or offset) and (lim – g->ptr) is unreasonably low and the size of the appended string is larger than the allocated memory, then it can lead to a heap overflow.”
According to Trend Micro report “It is through EHLO strings that a threat actor could exploit CVE-2019-16928 to perform malicious attacks, such as crashing the Exim process (resulting in DoS). Furthermore, a backdoor command used as an input for EHLO could lead to remote code execution.”