ID CVE-2005-0022
Summary Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication.
References
Vulnerable Configurations
  • cpe:2.3:a:university_of_cambridge:exim:4.40
    cpe:2.3:a:university_of_cambridge:exim:4.40
  • cpe:2.3:a:university_of_cambridge:exim:4.41
    cpe:2.3:a:university_of_cambridge:exim:4.41
  • cpe:2.3:a:university_of_cambridge:exim:4.42
    cpe:2.3:a:university_of_cambridge:exim:4.42
CVSS
Base: 4.6 (as of 13-05-2005 - 14:57)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
LOCAL LOW NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SMTP problems
    NASL id EXIM_SPA_IPV6_OVERFLOW.NASL
    description The remote host is running Exim, a message transfer agent (SMTP). It is reported that Exim is prone to an IPv6 Address and an SPA authentication buffer overflow. An attacker, exploiting this issue, may be able to execute arbitrary code on the remote host. Exim must be configured with SPA Authentication or with IPv6 support to exploit those flaws. In addition, Exim is vulnerable to two local overflows in command line option handling. However, Nessus has not tested for these.
    last seen 2019-02-21
    modified 2018-07-10
    plugin id 16111
    published 2005-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16111
    title Exim < 4.44 Multiple Overflows
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-001.NASL
    description This erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively. 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 16113
    published 2005-01-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16113
    title Fedora Core 2 : exim-4.43-1.FC2.1 (2005-001)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-025.NASL
    description Updated exim packages that resolve security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Exim is a mail transport agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. A buffer overflow was discovered in the spa_base64_to_bits function in Exim, as originally obtained from Samba code. If SPA authentication is enabled, a remote attacker may be able to exploit this vulnerability to execute arbitrary code as the 'exim' user. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0022 to this issue. Please note that SPA authentication is not enabled by default in Red Hat Enterprise Linux 4. Buffer overflow flaws were discovered in the host_aton and dns_build_reverse functions in Exim. A local user can trigger these flaws by executing exim with carefully crafted command line arguments and may be able to gain the privileges of the 'exim' account. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2005-0021 to this issue. Users of Exim are advised to update to these erratum packages which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 17165
    published 2005-02-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=17165
    title RHEL 4 : exim (RHSA-2005:025)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-56-1.NASL
    description A flaw has been found in the host_aton() function, which can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. When supplying certain command line parameters, the input was not checked, so that a local attacker could possibly exploit the buffer overflow to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0021) Additionally, the BASE64 decoder in the SPA authentication handler did not check the size of its output buffer. By sending an invalid BASE64 authentication string, a remote attacker could overflow the buffer, which could possibly be exploited to run arbitrary code with the privileges of the Exim mail server. (CAN-2005-0022). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20674
    published 2006-01-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20674
    title Ubuntu 4.10 : exim4 vulnerabilities (USN-56-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_CA9CE8795EBB11D9A01C0050569F0001.NASL
    description 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication.
    last seen 2019-02-21
    modified 2018-11-23
    plugin id 19118
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19118
    title FreeBSD : exim -- two buffer overflow vulnerabilities (ca9ce879-5ebb-11d9-a01c-0050569f0001)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2005-002.NASL
    description This erratum fixes two relatively minor security issues which were discovered in Exim in the last few weeks. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-0021 and CVE-2005-0022 to these, respectively. 1. The function host_aton() can overflow a buffer if it is presented with an illegal IPv6 address that has more than 8 components. 2. The second report described a buffer overflow in the function spa_base64_to_bits(), which is part of the code for SPA authentication. This code originated in the Samba project. The overflow can be exploited only if you are using SPA authentication. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 62248
    published 2012-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=62248
    title Fedora Core 3 : exim-4.43-1.FC3.1 (2005-002)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200501-23.NASL
    description The remote host is affected by the vulnerability described in GLSA-200501-23 (Exim: Two buffer overflows) Buffer overflows have been found in the host_aton() function (CAN-2005-0021) as well as in the spa_base64_to_bits() function (CAN-2005-0022), which is part of the SPA authentication code. Impact : A local attacker could trigger the buffer overflow in host_aton() by supplying an illegal IPv6 address with more than 8 components, using a command line option. The second vulnerability could be remotely exploited during SPA authentication, if it is enabled on the server. Both buffer overflows can potentially lead to the execution of arbitrary code. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 16414
    published 2005-02-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=16414
    title GLSA-200501-23 : Exim: Two buffer overflows
oval via4
accepted 2013-04-29T04:12:58.382-04:00
class vulnerability
contributors
  • name Aharon Chernin
    organization SCAP.com, LLC
  • name Dragos Prisaca
    organization G2, Inc.
definition_extensions
  • comment The operating system installed on the system is Red Hat Enterprise Linux 4
    oval oval:org.mitre.oval:def:11831
  • comment CentOS Linux 4.x
    oval oval:org.mitre.oval:def:16636
  • comment Oracle Linux 4.x
    oval oval:org.mitre.oval:def:15990
description Buffer overflow in the spa_base64_to_bits function in Exim before 4.43, as originally obtained from Samba code, and as called by the auth_spa_client function, may allow attackers to execute arbitrary code during SPA authentication.
family unix
id oval:org.mitre.oval:def:11293
status accepted
submitted 2010-07-09T03:56:16-04:00
title Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via regex patterns containing unmatched "\Q\E" sequences with orphan "\E" codes.
version 24
redhat via4
advisories
rhsa
id RHSA-2005:025
refmap via4
bid 12188
bugtraq 20050212 exim auth_spa_server() PoC exploit
confirm http://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44
gentoo GLSA-200501-23
idefense 20050107 Exim auth_spa_server() Buffer Overflow Vulnerability
mlist [exim] 20050104 2 smallish security issues
Last major update 17-10-2016 - 23:07
Published 02-05-2005 - 00:00
Last modified 10-10-2017 - 21:29
Back to Top