Script smtp-vuln-cve2010-4344

Script types: portrule
Categories: exploit, intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/smtp-vuln-cve2010-4344.nse

Script Summary

Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345).

The heap overflow vulnerability allows remote attackers to execute arbitrary code with the privileges of the Exim daemon (CVE-2010-4344). If the exploit fails then the Exim smtpd child will be killed (heap corruption).

The script also checks for a privilege escalation vulnerability that affects Exim version 4.72 and prior. The vulnerability allows the exim user to gain root privileges by specifying an alternate configuration file using the -C option (CVE-2010-4345).

The smtp-vuln-cve2010-4344.exploit script argument will make the script try to exploit the vulnerabilities, by sending more than 50MB of data, it depends on the message size limit configuration option of the Exim server. If the exploit succeed the exploit.cmd or smtp-vuln-cve2010-4344.cmd script arguments can be used to run an arbitrary command on the remote system, under the Exim user privileges. If this script argument is set then it will enable the smtp-vuln-cve2010-4344.exploit argument.

To get the appropriate debug messages for this script, please use -d2.

Some of the logic of this script is based on the metasploit exim4_string_format exploit.

• http://www.metasploit.com/modules/exploit/unix/smtp/exim4_string_format

Reference:

• http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4344
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-4345

Script Arguments

exploit.cmd

or smtp-vuln-cve2010-4344.cmd An arbitrary command to run under the Exim user privileges on the remote system. If this argument is set then, it will enable the smtp-vuln-cve2010-4344.exploit argument.

smtp-vuln-cve2010-4344.mailto

Define the destination email address to be used.

smtp-vuln-cve2010-4344.mailfrom

Define the source email address to be used.

smtp-vuln-cve2010-4344.exploit

The script will force the checks, and will try to exploit the Exim SMTP server.

smtp.domain

See the documentation for the smtp library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap --script=smtp-vuln-cve2010-4344 --script-args="smtp-vuln-cve2010-4344.exploit" -pT:25,465,587 <host>
nmap --script=smtp-vuln-cve2010-4344 --script-args="exploit.cmd='uname -a'" -pT:25,465,587 <host>

Script Output

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-vuln-cve2010-4344:
| Exim heap overflow vulnerability (CVE-2010-4344):
|   Exim (CVE-2010-4344): VULNERABLE
|     Shell command 'uname -a': Linux qemu-ubuntu-x32 2.6.38-8-generic #42-Ubuntu SMP Fri Jan 21 17:40:48 UTC 2011 i686 GNU/Linux
| Exim privileges escalation vulnerability (CVE-2010-4345):
|   Exim (CVE-2010-4345): VULNERABLE
|     Before 'id': uid=121(Debian-exim) gid=128(Debian-exim) groups=128(Debian-exim),45(sasl)
|_    After  'id': uid=0(root) gid=128(Debian-exim) groups=0(root)

Requires

• math
• shortport
• smtp
• stdnse
• string
• stringaux
• table

---

Author:

• Djalal Harouni

License: Same as Nmap--See https://nmap.org/book/man-legal.html