The Vulnerability and Its Mechanism
A critical security flaw has been discovered in Exim, an open source mail transfer agent widely used on Unix like systems. The vulnerability, named Dead.Letter, affects Exim versions 4.97 through 4.99.2 compiled with GnuTLS support. It is a use after free bug triggered during BDAT message body handling. When a client sends a TLS close notify alert before completing a BDAT body transfer, and then follows with a final byte in cleartext on the same TCP connection, Exim can write into a freed memory buffer. This leads to heap corruption, which an attacker can potentially exploit for code execution. The attack requires only the ability to establish a TLS connection and use the CHUNKING SMTP extension.
Impact and Mitigation
The flaw was reported by security researcher Federico Kirschbaum of XBOW, an autonomous cybersecurity testing platform. Only Exim builds using GnuTLS are affected; builds relying on OpenSSL or other TLS libraries are not vulnerable. The vulnerability does not require special server configuration, making it relatively easy to trigger. Exim has released version 4.99.3 that addresses the issue. Users are strongly advised to upgrade to the patched version immediately to prevent potential exploitation.
Technical Details
The bug arises because during TLS shutdown, Exim frees its TLS transfer buffer. However, a nested BDAT receive wrapper can still process incoming bytes and call ungetc(), which writes a single newline character into the freed region. That one byte write lands on Exim’s allocator metadata, corrupting the internal structure of the memory allocator. An attacker can then leverage that corruption to gain further exploitation primitives, potentially leading to arbitrary code execution.
Source: The Hacker News
