[20901] in bugtraq
Re: lil' exim format bug
daemon@ATHENA.MIT.EDU (Peter Radcliffe)
Thu Jun 7 13:55:57 2001
Date: Wed, 6 Jun 2001 13:05:04 -0400
From: Peter Radcliffe <pir@pir.net>
To: bugtraq@securityfocus.com
Message-ID: <20010606130504.D19944@pir.net>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20010606140325.A32304@visible>; from lez@sch.bme.hu on Wed, Jun 06, 2001 at 02:03:25PM +0200
Some side bits of information.
Megyer Laszlo <lez@sch.bme.hu> probably said:
> accept.c, line 2506:
> else if (smtp_reply != NULL) moan_smtp_batch(NULL, smtp_reply);
>
> while moan_smtp_batch is like this:
> moan_smtp_batch(char *cmd_buffer, char *format, ...)
>
> So when smtp_reply contains format strings, it get transformed by
> moan_smtp_batch().
<sarcasm>
Why, thank you for letting Philip Hazel (who is on holiday right now)
get a patched version out before announcing this to bugtraq.
</sarcasm>
> /etc/exim.conf should have an option set:
This is not the default name or location for the exim config file.
> lez:~$ /usr/sbin/exim -bS
This is not the default location for exim.
> get root out of this bug.
and no one with sense runs an MTA as root, and the exim security
information strongly suggests you do not. On my relays the MTA runs as
root only once at boot time to bind to port 25 and is not suid root.
Yes, this looks like a real problem but it should also serve as a good
time to check that as little as possible runs as root.
P.
--
pir pir@pir.net pir@net.tufts.edu
