CVE-2002-1381

Exim 3.x-3.36 and 4.x-4.10 - Authenticated Remote Code Execution via pid_file_path Format String

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2002-1381. PoCs published by Thomas Wana.

AI-analyzed exploit summary This exploit leverages a format string vulnerability in Exim's daemon_go() function to achieve local privilege escalation. It calculates stack pops and overwrites the GOT entry for fopen() to redirect execution to shellcode.

Description

Format string vulnerability in daemon.c for Exim 4.x through 4.10, and 3.x through 3.36, allows exim administrative users to execute arbitrary code by modifying the pid_file_path value.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Thomas Wana · clocallinux

https://www.exploit-db.com/exploits/22066

View Code ZIP pw:eip

This exploit leverages a format string vulnerability in Exim's daemon_go() function to achieve local privilege escalation. It calculates stack pops and overwrites the GOT entry for fopen() to redirect execution to shellcode.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Complex

Reliability

Reliable

Target: Exim 4.10 (and possibly others)

Auth required

Prerequisites: Exim compiled with 'exim-admin-user' defined · Local access to the system · Exim binary path

MITRE ATT&CK