Analysis of CVE-2011-1764: A Case of format String Vulnerability in EXIM

CVE-2011-1764 is a case of format string vulnerability in Exim. Format string vulnerabilities arise due to the missing format specifier in a poorly written code. Format string vulnerabilities in an application can lead to denial of service attack, reading attacks, i.e. content of a memory location can be viewed, and it can also lead to writing attacks, i.e. content of memory location can be written. As mentioned earlier, poorly written c programs can have missing format specifies. For example code can use printf (string1) (Let’s call it a first function), instead of printf(“%s”,string1) (Let’s call it a second function). Functionally, the first function works well. However, in the function printf (string), if String string1 = “%08x.%08x.%08x.%08x” is passed as a parameter then, the printf function will print the address of memory locations instead of the value of string leading to exploitation due to format string vulnerability. There are many references which discusses in detail about the exploitation resulting in dos, reading and writing attacks due to the format string vulnerability. One of the reference which discusses about the exploitations, of format string vulnerability is chapter 2.0 “Vulnerability Analysis of Mail Protocol”, section 2.0 of the book “Vulnerability Analysis and Defense for the Internet”. Since Exim is one of the most commonly used mail server, I decided to analyze the fixes for format string vulnerability in the code, to derive the condition for a NIS signature. The patches to remove the vulnerability from the code are available online. If we analyze the fixes, as shown in figure 1.0 it can be observed that the function log_write ( ) has been updated to remove the format string vulnerability. The function log_write () takes the input DKIM. RFC 4781 provides the details of DKIM.

Figure 1.0 showing the fixes for the vulnerability As shown in the figure 1.0 the variable logmsg contains arguments of DKIM. In the unpatched versionof the code, format specifier %s is missing fromthe function log_write(). If there is any format specifier like%d, %s, %n… in the arguments of DKIM, it will lead to exploitation due to format string vulnerability. For example, one of the scenario of exploitation due to format string vulnerability can be if there are large number of “%d” in the argument of DKIM; the format specifier”%d” will be passed to the function log_write (); the instructions in the code might end up reading from address which is not mapped leading to denial of service. In the patched version of the code %s has been added in the function log_write( ); so now if in the arguments of DKIM, if there are any format specifiers, the patched version will print format specifier instead of accessing memory; thus preventing format string vulnerability. AlertLogic customers are protected against the exploitation of the vulnerability. Acknowledgement I would like to express my gratitude and thanks to Johnathan for his feedback.