Script smtp-vuln-cve2011-1764

Script types: portrule
Categories: intrusive, vuln
Download: https://svn.nmap.org/nmap/scripts/smtp-vuln-cve2011-1764.nse

Script Summary

Checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). The DKIM logging mechanism did not use format string specifiers when logging some parts of the DKIM-Signature header field. A remote attacker who is able to send emails, can exploit this vulnerability and execute arbitrary code with the privileges of the Exim daemon.

Reference:

Script Arguments

smtp-vuln-cve2011-1764.mailto

Define the destination email address to be used.

smtp-vuln-cve2011-1764.mailfrom

Define the source email address to be used.

smtp.domain

See the documentation for the smtp library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

vulns.short, vulns.showall

See the documentation for the vulns library.

Example Usage

nmap --script=smtp-vuln-cve2011-1764 -pT:25,465,587 <host>

Script Output

PORT   STATE SERVICE
25/tcp open  smtp
| smtp-vuln-cve2011-1764:
|   VULNERABLE:
|   Exim DKIM format string
|     State: VULNERABLE
|     IDs:  CVE:CVE-2011-1764  BID:47736
|     Risk factor: High  CVSSv2: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
|     Description:
|       Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified
|       Mail (DKIM) support is vulnerable to a format string. A remote attacker
|       who is able to send emails, can exploit this vulnerability and execute
|       arbitrary code with the privileges of the Exim daemon.
|     Disclosure date: 2011-04-29
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1764
|       https://www.securityfocus.com/bid/47736
|_      http://bugs.exim.org/show_bug.cgi?id=1106

Requires


Author:

  • Djalal Harouni

License: Same as Nmap--See https://nmap.org/book/man-legal.html