MuExim mail server
Muchigadziro chekugadzirisa, kurwiswa kunogona kuitwa pasina matambudziko asina kufanira nemushandisi wemunharaunda, sezvo "verify = mugamuchiri" ACL inoshandiswa, iyo inoita mamwe macheki ekunze kwekero. Kurwiswa kure kunogona kuitika kana zvigadziriso zvashandurwa, sekuita seyechipiri MX kune imwe dura, kubvisa iyo "verify=recipient" ACL, kana dzimwe shanduko kune local_part_suffix). Kurwiswa kure kunogonekawo kana munhu anorwisa achikwanisa kuchengetedza kubatana kune server kuvhurika kwemazuva 7 (semuenzaniso, kutumira imwe byte paminiti kuti ipfuure nguva yekubuda). Panguva imwecheteyo, zvinogoneka kuti kune zviri nyore kurwisa mavector ekushandiswa kure kwedambudziko.
Kusagadzikana uku kunokonzerwa nekuona zvisirizvo kwekero yearikugamuchira mudelivery_message() basa rinotsanangurwa mu/src/deliver.c faira. Nekushandisa mafomati ekero, munhu anorwisa anogona kuwana kutsiva kwe data rake munharo dzemurairo unonzi kuburikidza ne execv () basa rine kodzero dzemidzi. Kushanda hakudi kushandiswa kwemaitiro akaomarara anoshandiswa pakufashukira kwebhafa kana uwori hwendangariro; kutsiviwa kwemavara kwakakwana.
Dambudziko rinoenderana nekushandiswa kweiyo dhizaini yekushandura kero:
deliver_localpart = expand_string(
string_sprintf("${local_part:%s}", new->address));
deliver_domain = expand_string(
string_sprintf("${domain:%s}", new->address));
Iyo expand_string() basa isanganiswa yakanyanyisa, kusanganisira kuziva murairo "${run{command arguments}", izvo zvinotungamirira kukutangwa kwemubati wekunze. Saka, kurwisa mukati mechikamu cheSMTP, mushandisi wepanzvimbo anongoda kutumira murairo senge 'RCPT KUTI "username+${run{...}}@localhost"', uko localhost mumwe wevatambi kubva kune local_domains list, uye username izita remushandisi wepano aripo.
Kana sevha ichishanda sekutumira tsamba, zvakakwana kutumira murairo uri kure kure 'RCPT TO "${run{...}}@relaydomain.com"', apo relaydomain.com ndeimwe yemauto akanyorwa mu relay_to_domains. chikamu chezvigadziriso. Sezvo Exim isingaite yekudonhedza ropafadzo modhi (deliver_drop_privilege = nhema), mirairo inopfuudzwa kuburikidza ne "${run{...}}" ichaitwa semudzi.
Zvinokosha kuziva kuti vulnerability yaive
Kugadziriswa kweshanduro dzakapfuura dzinoramba dzichishandiswa mukugovera ikozvino dzinongowanikwa se
Source: opennet.ru