Script `smtp-vuln-cve2011-1764`

Script types: portrule
Categories: intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/smtp-vuln-cve2011-1764.nse

Script Summary

Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.

Reference:

Script Arguments

smtp-vuln-cve2011-1764.mailto: Define the destination email address to be used.
smtp-vuln-cve2011-1764.mailfrom: Define the source email address to be used.
smtp.domain: See the documentation for the smtp library.
smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername: See the documentation for the smbauth library.
vulns.short, vulns.showall: See the documentation for the vulns library.

Example Usage

nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 <host>

Script Output

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-vuln-cve2011-1764:
|   VULNERABLE:
|   Exim DKIM format string
|     State: VULNERABLE
|     IDs:  CVE:CVE-2011-1764  BID:47736
|     Risk factor: High  CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
|     Description:
|       Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified
|       Mail (DKIM) support is vulnerable to a format string. A remote attacker
|       who is able to send emails, can exploit this vulnerability and execute
|       arbitrary code with the privileges of the Exim daemon.
|     Disclosure date: 2011-04-29
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1764
|       https://www.securityfocus.com/bid/47736
|_      http://bugs.exim.org/show_bug.cgi?id=1106

Requires

Author:

Djalal Harouni