May 14, 2021 Adepts of 0xCC
Link: https://adepts.of0x.cc/exim-cve-2020-28018/
Introduction
Qualys recently released an advisory named “21Nails” with 21 vulnerabilities discovered in Exim, some leading to LPE and RCE.
This post will analyze one of those vulnerabilities with CVE ID: CVE-2020-28018.
The vulnerability is a Use-After-Free (UAF) vulnerability on tls-openssl.c, that leads to Remote Code Execution.
This vulnerability is really powerful as it allows an attacker to craft important primitives to bypass memory protections like PIE or ASLR.
The primitives that this vulnerability can achieve are the following:
- Info Leak: Leak heap pointers to bypass ASLR
- Arbitrary read: Read arbitrary number of bytes on arbitrary location
- write-what-where: Write arbitrary data on arbitrary locations
As you can see, those primitives are just what a remote attacker needs to bypass security protections.
First for this vulnerability to be triggered and exploited some requirements need to be met:
- TLS is enabled
- Instead of GnuTLS (the default unfortunately) OpenSSL has to be enabled.
- The exim running is one of the vulnerable versions
X_PIPE_CONNECTshould be disabled
First, to understand why does this vulnerability exists and how to exploit it, we need to understand the behaviour of the Exim Pool Allocator and the growable strings Exim uses.