Vigil@nce - Exim: code execution via Double Expansion
August 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
A local attacker can edit a configuration file he has access to,
in order to execute code with Exim privileges.
Impacted products: Fedora, Unix (platform)
Severity: 2/4
Creation date: 22/07/2014
DESCRIPTION OF THE VULNERABILITY
Exim configuration files use variables which are expansed.
However, variables linked to mathematical operations are expansed
twice, and dangerous commands are not forbidden on the second time.
A local attacker can therefore edit a configuration file he has
access to, in order to execute code with Exim privileges.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Exim-code-execution-via-Double-Expansion-15086