==================================
 Exim Mailer, multiple vulnerabilites
 June 3, 2010
 CVE-2010-2023, CVE-2010-2024
==================================

==Description==

Two vulnerabilities have been discovered in Exim 4, a popular mail transfer
agent used on Unix-like systems (www.exim.org).

1. When Exim is used with a world-writable mail directory with the sticky-bit
set, local users may create hard links to other non-root users' files at the
expected location of those users' mailboxes, causing their files to be written
to upon mail delivery.  This could be used to create denial-of-service
conditions or potentially escalate privileges to those of targeted users.  This
issue has been assigned CVE-2010-2023.

2. When MBX locking is enabled, local users may exploit a race condition to
change permissions of other non-root users' files, leading to denial-of-service
conditions or potentially privilege escalation, or to create new files owned by
other users in unauthorized locations.  This issue has been assigned
CVE-2010-2024.

==Workarounds==

1. Both of these vulnerabilities can be mitigated on Linux by making use of
grsecurity (or similar) kernel extensions that enforce additional linking
restrictions.  grsecurity mitigates these types of race conditions by
preventing users from following symbolic links owned by other users in
world-writable directories with the sticky bit set, and also by preventing
users from creating hard links to files they do not own.  Other operating
systems may enforce similar restrictions by default.

2. The first issue can be mitigated by using a group-writable mail directory
owned by a "mail" group rather than a world-writable mail directory.

3. The second issue can be mitigated by disabling the MBX locking feature (this
is already the default with many packaged releases of Exim) or by mounting the
/tmp directory with options prohibiting the following of symbolic links created
by other users.

==Solution==

Exim has released a new version, 4.72, available for download at
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz.  Vulnerable users are
advised to download and recompile from source, or request updated packages from
downstream distributions.

==Credits==

These vulnerabilities were discovered by Dan Rosenberg
(dan.j.rosenberg@gmail.com).

==Timeline==

5/24/10 - Reported to Exim
5/25/10 - Response from Exim
6/03/10 - Exim 4.72 released
6/03/10 - Disclosure

==References==

CVE identifiers CVE-2010-2023 and CVE-2010-2024 have been assigned to these
issues.

Exim 4.72 is available for download at:
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.gz
ftp://ftp.exim.org/pub/exim/exim4/exim-4.72.tar.bz2