Vigil@nce - exim: file corruption
June 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
A local attacker can corrupt a victim’s file, by sending him an
email managed by exim.
Severity: 2/4
Creation date: 31/05/2010
DESCRIPTION OF THE VULNERABILITY
The exim program is a mail server. It is impacted by two
vulnerabilities.
When emails are stored in a public writable directory (usually
with the sticky bit), and if the victim does not already have a
mailbox, a local attacker can create a hard link between a
victim’s file and his mailbox. When exim will write in his
mailbox, data will be appended at the end of victim’s file.
[severity:2/4; BID-40451, CVE-2010-2023]
When a lock is enabled on mailboxes (MBX locking), a local
attacker can create a symbolic link in order to force exim to
create a file or to change permissions of a victim’s file.
[severity:2/4; BID-40454, CVE-2010-2024]
A local attacker can therefore corrupt a victim’s file, by sending
him an email managed by exim.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN