Exim – Math Comparison Functions Local Command Execution (R911-0164)

Type: Command Execution
Location: Local
Impact: High
Product: Exim
Website: http://www.exim.org
Vulnerable Version: 4.82
Fixed Version: 4.83
CVE: 2014-2972
R911: 0164
Date: 2014-07-25
By: RACK911

Product Description:

Exim is a message transfer agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. There is a great deal of flexibility in the way mail can be routed, and there are extensive facilities for checking incoming mail. Exim can be installed in place of Sendmail, although the configuration of Exim is quite different.

Vulnerability Description:

Exim contains a flaw in the expansion of arguments to math comparison functions, which can result in the values being doubled.

The end result is that an attacker can perform a local command execution if they are able to perform a look-up using Exim against files that they can edit. In some cases, such as Exim being bundled with cPanel, the local command execution can actually lead to a root compromise as the Exim look-up is being done by the root user.

Impact:

We have deemed this vulnerability to be rated as HIGH due to the fact that a user can perform local commands under certain circumstances.

Vulnerable Version:

This vulnerability was tested against Exim 4.82 and is believed to exist in all previous versions.

Fixed Version:

This vulnerability was patched in Exim 4.83.

Vendor Contact Timeline:

2014-06-22: Vendor contacted via email.
2014-06-23: Vendor confirms vulnerability.
2014-07-22: Vendor issues update.
2014-07-25: RACK911 issues security advisory.