Exim is a message transfer agent(MTA)that can be used on Unix-like operating systems. All versions up to and including 4.92.1 of Exim do not properly handle trailing backslash characters in the string_interpret_escape()function,which is used to process peer DN and SNI during a TLS negotiation. In cases where the string being processed ends with a '\' character,the vulnerable string_interpret_escape()function will interpret the string-terminating null byte as a value to be escaped,thus incrementing the string pointer to the byte after the string to be processed. If the attacker-provided data is crafted in a certain way,this out-of-bounds pointer can be leveraged to cause a heap overflow. Exim installations configured to allow TLS connections,which can happen either via the SMTP STARTTLS command or via TLS-on-connect,can process attacker-provided data in the TLS SNI information. Exim installations that are configured to process client-provided certificates may also be exploitable via a crafted TLS peer DN.
↧