, 15 tweets, 5 min read Read on Twitter
So Exim has another RCE vuln. I'm reading the code right now. It's awful. It's everything wrong with early Internet code. A guide on how-not-to-code would use Exim as the example.
The bug is in the SSL "server_name" or "SNI" field, in which the connecting side tells the server which name they are connecting to. This way, when you connect to "example.com" hosted by GMail, you can get the SSL certificate for Example and not GMail.
The bug is that if the SNI string ends with "$\", then bad things happen. Okay, that's a simple bug, and we shouldn't blame people for simple bugs. However, the entire stack leading to that bug is what we should blame them for.
For one thing, the bug is in "pointer arithmetic". As I've blogged and tweeted about before, "pointer arithmetic" is bad, and you need to stop doing it. Had this code not used pointer arithmetic, this bug wouldn't have happened.
Pointer-arithmetic is expressions like "*(++p)" in the above code. It's not valid for other languages, which would need to do something like "p[++offset]" instead. It encourages you that check whether "offset < length" all the time, which makes such bugs less likely.
"Pointer-arithmetic" is considered "idiomatic C", and you are encouraged to write idiomatic code. But the reality is that "pointer-arithmetic" is idiotic C. It has none of the advantages you think, and you need to stop using it. Refactoring code getting rid of it is important.
But this is only the start of the problems in the code. @sergeybratus is going to be mad at me if I don't mention this: "The input language is undefined". In other words, what's the allowable format for the SNI field? The answer is that this is undefined, nobody really knows.
@sergeybratus You think it should be a DNS name. If Exim code where well-written, thats exactly the check it would apply to the code, at the first opportunity. An incoming SNI name that wasn't a valid DNS name would be immediately rejected.
@sergeybratus Instead, the code passes the binary characters through the system. What this means is that input has a "language", it will drive computation in the code, it's just that nobody knows precisely what that "language" is, least of all the programmer.
@sergeybratus So how did Exim fix the bug? By sanitizing input? No. By fixing a bug buried within this "language" of theirs in how they interpret escape characters.
@sergeybratus Because SNI server names aren't sanitized on input, they touch a vast amount of code. It's essentially a Turing-complete input field when it should be simply a DNS hostname.
@sergeybratus The fact that input strings are passed into this Turing-complete Exim language has been the source of other bugs as well, such as CVE-2019-10149, where simply the Recipient's name in an email can lead to code execution.
@sergeybratus I may not have been clear about the Turing-complete language that Exim applies to the SNI field (and all these other fields). You can find the documentation here. TRIGGER WARNING: you may run from your computer in terror.
exim.org/exim-html-curr…
@sergeybratus This tweet defending pointer-arithmetic is a great demonstration of why I'm right: "pointer-arithmetic is fine if you don't make the same mistake people usually make with it".
@sergeybratus Pointer-arithmetic is inherently more dangerous than the alternative. Our fight is against dangerous coding practices, encouraging programmers to choose safer paradigms.
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Rob Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!