========================================================================
CVE-2021-27216: Arbitrary file deletion
========================================================================

While working on a patch for CVE-2020-28014, we discovered another
related vulnerability: any local user can delete any arbitrary file as
root (for example, /etc/passwd), by abusing the -oP and -oPX options in
delete_pid_file():

------------------------------------------------------------------------
 932 void
 933 delete_pid_file(void)
 934 {
 935 uschar * daemon_pid = string_sprintf("%d\n", (int)getppid());
 ...
 939 if ((f = Ufopen(pid_file_path, "rb")))
 940   {
 941   if (  fgets(CS big_buffer, big_buffer_size, f)
 942         && Ustrcmp(daemon_pid, big_buffer) == 0
 943      )
 944     if (Uunlink(pid_file_path) == 0)
------------------------------------------------------------------------

To exploit this vulnerability, a local attacker must win an easy race
condition between the fopen() at line 939 and the unlink() at line 944;
this is left as an exercise for the interested reader.

------------------------------------------------------------------------
History
------------------------------------------------------------------------

This vulnerability was introduced in Exim 4.94:

------------------------------------------------------------------------
commit 01446a56c76aa5ac3213a86f8992a2371a8301f3
Date:   Sat Nov 9 16:04:14 2019 +0000

    Remove the daemon pid file when exit is due to SIGTERM.  Bug 340
------------------------------------------------------------------------

We wrote a proof of concept for this vulnerability (for Linux), please
let us know if you want to see or try it.
