Exim Information Disclosure Vulnerability via PROXY Protocol

A vulnerability in Exim versions 4.88 prior to 4.99.4, in certain proxy configurations, allows for the improper handling of short payloads. This mismanagement can lead to the disclosure of uninitialized stack memory values to a client. The issue arises in the proxy_protocol() function, where a PROXYv2 frame with specific characteristics can be exploited to read and leak memory that includes live userspace virtual addresses, potentially bypassing Address Space Layout Randomization (ASLR) protections.

Impact

Exploitation of this vulnerability causes pre-authentication information disclosure, leaking uninitialized stack memory that can be manipulated to defeat ASLR, using the leaked data as a chain component in an exploit.

Reproduction

The vulnerability can be reproduced by sending a PROXYv2 frame with an address family of 0x21 (TCPv6) or 0x11 (TCPv4) that exploits the lack of lower bound length checks. This can be done by crafting a frame that, for example, sets the length to 0, allowing the exploitation of the vulnerability by overwriting the uninitialized stack with controlled data.

Remediation

Users are advised to upgrade to Exim version 4.99.4, available on the Exim FTP site and the Exim Git repository.