Exim on Arzedlab 🪵https://arzedlab.github.io/tags/exim/Recent content in Exim on Arzedlab 🪵Hugoen-us© RavshanMon, 26 May 2025 00:00:00 +0000EXIM: CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()https://arzedlab.github.io/posts/exim-analysis-4-92-1-r-1fc3648c0bf4804d9828e1aa08614f70/Mon, 26 May 2025 00:00:00 +0000https://arzedlab.github.io/posts/exim-analysis-4-92-1-r-1fc3648c0bf4804d9828e1aa08614f70/<h1 id="exim-analysis-4921-r">EXIM: Analysis 4.92.1-R</h1> <p>This is just as re-analysis to better understand, the reporter and author of there vulnerabileties is company Qualys official link: <a href="https://www.qualys.com/2021/05/04/21nails/21nails.txt">https://www.qualys.com/2021/05/04/21nails/21nails.txt</a></p> <h2 id="cve-2020-28025-heap-out-of-bounds-read-in-pdkim_finish_bodyhash">CVE-2020-28025: Heap out-of-bounds read in pdkim_finish_bodyhash()</h2> <ol> <li>Callers of <code>pdkim_finish_bodyhash()</code></li> </ol> <p><code>main()</code> → <code>receive_msg()</code> → <code>dkim_exim_verify_finish()</code></p> <p><code>dkim_exim_verify_finish()</code> be called to verify DKIM (DomainKeys Identified Mail) signature, then calls <code>pdkim_feed_finish()</code> <strong>, which calls</strong> <code>pdkim_finish_bodyhash()</code></p> <ol> <li>DKIM (DomainKeys Identified Mail) looks like this.</li> </ol> <p><img src="image.png" alt="image.png"></p> <p>Code of the function <code>pdkim_finish_bodyhash()</code></p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#282a36;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>... </span></span><span style="display:flex;"><span> /* VERIFICATION --------------------------------------------------------- */ </span></span><span style="display:flex;"><span> /* Be careful that the header sig included a bodyash */ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">if</span> <span style="color:#ff79c6">(</span> sig-&gt;bodyhash.data </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">&amp;&amp;</span> memcmp<span style="color:#ff79c6">(</span>b-&gt;bh.data, sig-&gt;bodyhash.data, b-&gt;bh.len<span style="color:#ff79c6">)</span> <span style="color:#ff79c6">==</span> 0<span style="color:#ff79c6">)</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">{</span> </span></span><span style="display:flex;"><span> DEBUG<span style="color:#ff79c6">(</span>D_acl<span style="color:#ff79c6">)</span> debug_printf<span style="color:#ff79c6">(</span><span style="color:#f1fa8c">&#34;PDKIM [%s] Body hash compared OK\n&#34;</span>, sig-&gt;domain<span style="color:#ff79c6">)</span>; </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">}</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">else</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">{</span> </span></span><span style="display:flex;"><span> DEBUG<span style="color:#ff79c6">(</span>D_acl<span style="color:#ff79c6">)</span> </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">{</span> </span></span><span style="display:flex;"><span> debug_printf<span style="color:#ff79c6">(</span><span style="color:#f1fa8c">&#34;PDKIM [%s] Body hash signature from headers: &#34;</span>, sig-&gt;domain<span style="color:#ff79c6">)</span>; </span></span><span style="display:flex;"><span> pdkim_hexprint<span style="color:#ff79c6">(</span>sig-&gt;bodyhash.data, sig-&gt;bodyhash.len<span style="color:#ff79c6">)</span>; </span></span><span style="display:flex;"><span> debug_printf<span style="color:#ff79c6">(</span><span style="color:#f1fa8c">&#34;PDKIM [%s] Body hash did NOT verify\n&#34;</span>, sig-&gt;domain<span style="color:#ff79c6">)</span>; </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">}</span> </span></span><span style="display:flex;"><span> sig-&gt;verify_status <span style="color:#ff79c6">=</span> PDKIM_VERIFY_FAIL; </span></span><span style="display:flex;"><span> sig-&gt;verify_ext_status <span style="color:#ff79c6">=</span> PDKIM_VERIFY_FAIL_BODY; </span></span><span style="display:flex;"><span> <span style="color:#ff79c6">}</span> </span></span><span style="display:flex;"><span>... </span></span></code></pre></div><p>Unfortunately, at line 826, <code>sig-&gt;bodyhash.data</code> is attacker-controlled (through a &ldquo;DKIM-Signature:&rdquo; mail header) and <code>memcmp()</code> is called without checking first that <code>sig-&gt;bodyhash.len</code> is equal to <code>b-&gt;bh.len</code>: <code>memcmp()</code> can read <code>sig-&gt;bodyhash.data</code> out-of-bounds. If the <code>acl_smtp_dkim</code> is set (it is unset by default), an unauthenticated remote attacker may transform this vulnerability into an information disclosure; we have not fully explored this possibility.</p>