来源

关联漏洞

描述

CVE-2025-26794: SQLite (DBM) injection in Exim 4.98 - exploit writeup

介绍

# CVE-2025-26794: SQLite (DBM) injection in Exim 4.98 - exploit writeup

Exim report: [https://www.exim.org/static/doc/security/CVE-2025-26794.txt](https://www.exim.org/static/doc/security/CVE-2025-26794.txt)

I discovered this vulnerability through a manual code review. Please get in touch with me to discuss ways to escalate this vulnerability to RCE.


# Vulnerability details:

### Issue
The SQL parameters, when SQLite is used as the DBM, are not properly sanitized. This results in the possibility of a remote user to craft custom SQLite queries. 

### Affected file:
- [hintsdb.h](https://github.com/Exim/exim/blob/exim-4.98/src/src/hintsdb.h) Moved to hints_sqlite.h in the latest commits. Only the SQLite parts are affected (example function: exim_s_dbp). 

### Requirements:
- Compile Exim with "USE_SQLITE = yes". This will set SQLite as the DataBase Manager (DBM). 
- Enable the ETRN command

### Attack surface:
- ETRN command: The ETRN command creates a new entry in the "misc" database with a key that we can control. Ex: if we run `ETRN #test.com`, exim will create a temporary DB entry in the SQLite "misc" database (with the exim user) with the key "etrn-#test".

Since we control the key, we can inject our own SQL code: 
```ETRN #',1); ## INSERT SQL HERE ##  /*```

- Lookups:
The lookup types dbm, dmbjz, dbmnz use the configured DBM (SQLite in this case) which may increase the attack surface significantly. I did not test the exploitation. However, using the dbm lookup when SQLite is set as the DBM seems unlikely. 

### Exploitation
- I was able to connect to other local SQLite databases (to which the Exim user has access) with `ATTACH DATABASE`, I guess that we could probably exploit a race condition in Exim to trigger some undefined behavior by meddling with the other DBs used. It is still very hypothetical for now.
- We also have access to the whole attack surface of SQLite. We may combine this exploit with a SQLite exploit to achieve RCE.

### Exploitation limitations:
- I suppose it is quite rare to enable the `ETRN` command (and quite old).
- I suppose it is quite rare to enable SQLite support as the DBM since it is very recent.
- I suppose it is also quite rare to use SQLite as the DBM since it was only added in the latest Exim version.
Therefore I doubt this method of exploitation has been used in the wild. It is however a serious vulnerability.

This means that we could easily DoS (ex: fill the disk), but escalating this to Remote Code Execution would require more work, but may be possible.

# Reproducing the bug
Here is a local Docker lab to help reproduce this vulnerability.
### Build and start exim
1. `git clone git@github.com:OscarBataille/CVE-2025-26794.git`
2. `cd CVE-2025-26794/docker_lab`
3. `bash docker.sh` will build and log you in the container
4. Inside the container `bash start-exim.sh` to start the exim server
### Connect to the EXIM server
1. Connect with Netcat: `nc 127.0.0.1 25`
2. ```220 55c3a4b2466a ESMTP Exim 4.98-XX Sat, 22 Feb 2025 14:31:50 +0000```
3. Issue the ETRN command: ```ETRN #'```
4. Check the SQLite log for this line: ```sqlite3_exec: near "', X'": syntax error```

文件快照

 [4.0K]  /data/pocs/0203a7d492f950ed730b3d817a7bdd2095cf64b7
├── [4.0K]  docker_lab
│   ├── [ 44K]  configure
│   ├── [  31]  connect_docker.sh
│   ├── [1.1K]  Dockerfile
│   ├── [ 207]  docker.sh
│   ├── [ 937]  Makefile-Linux
│   └── [ 179]  start-exim.sh
└── [3.1K]  README.md

1 directory, 7 files

备注