Skip to content

Dead.Letter (CVE-2026-45185) Unauthenticated RCE in Exim via... #2228

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
+34 −0
Open

Dead.Letter (CVE-2026-45185) Unauthenticated RCE in Exim via... #2228

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions src/network-services-pentesting/pentesting-smtp/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -275,6 +275,38 @@ SMTP Smuggling vulnerability allowed to bypass all the SMTP protections (check t
smtp-smuggling.md
{{#endref}}


## Exim STARTTLS + BDAT callback desync (GnuTLS UAF)

A useful **Exim-specific exploitation surface** is the interaction between **`STARTTLS`**, **`BDAT`/`CHUNKING`**, and the TLS backend when Exim is compiled against **GnuTLS**. The interesting technique is **not the CVE itself**, but the bug class:

- A higher-level parser (**BDAT**) **pushes/wraps** the active `receive_*` callbacks and saves the old ones in a lower callback row.
- The lower layer (**TLS**) is later **torn down** after `gnutls_record_recv() == 0` / TLS EOF.
- Teardown restores only the **top-level** callbacks, but the **saved lower-layer callbacks remain stale**.
- A later parser repair path still calls `ungetc()` through that stale row and writes into a **freed TLS buffer**.

### Why this matters for attackers

This creates a very practical checklist when reviewing SMTP daemons and other protocol parsers:

1. **Look for modal parser stacking** (`DATA`/`BDAT`, compression, TLS, chunked reads, content filters).
2. **Check teardown symmetry**: if one layer pops or resets only the active callbacks/vtable, stale saved callbacks may still reference destroyed state.
3. **Audit repair paths** such as `ungetc()`, line-ending fixups, pushback buffers, or end-of-message normalization; these often become the actual write primitive after a lower layer dies.
4. **Check for fallback after close**: if a TLS/backend read error frees state and then falls back to plaintext I/O, the outer parser may keep running long enough to turn a lifetime bug into exploitation.

### Exim-specific shape

In Exim's `BDAT` path, `bdat_push_receive_functions()` stores the current lower layer (`tls_getc`, `tls_getbuf`, `tls_ungetc`, etc.) and replaces the active row with BDAT wrappers. If a **TLS EOF** happens while the body is still being read, `tls_close()` frees the TLS plaintext transfer buffer but BDAT can still hold **stale lower-layer pointers** to `tls_*`. Later, end-of-data line-ending repair calls `bdat_ungetc('\n')` or `bdat_ungetc('\r')`, which can reach `tls_ungetc()` and perform a **1-byte write** into the **freed** TLS buffer.

The primitive is constrained (newline or carriage return), but the offset is influenced by the TLS low-water mark. This is a classic [use-after-free](../../binary-exploitation/libc-heap/use-after-free/README.md) situation where even a single-byte post-free write may be enough to corrupt heap metadata or steer later heap reuse.

### Triage / hunting notes

- During **`EHLO`**, check whether the server advertises **`STARTTLS`** and **`CHUNKING`** (`BDAT`).
- Prioritize **Exim + GnuTLS** targets where **unauthenticated SMTP sessions** can reach `STARTTLS` and then send `BDAT`.
- When studying exploitation potential, look for **post-free allocation windows** in mail-processing features (filters, DKIM, MIME parsing, AV hooks, canonicalization) that can **reclaim or shape** the freed chunk before the stale callback fires.
- This bug family is a good reminder that **protocol state-machine bugs can expose heap primitives**, so SMTP review should include both protocol desync and memory-lifetime analysis.

## Mail Spoofing Countermeasures

Organizations are prevented from having unauthorized email sent on their behalf by employing **SPF**, **DKIM**, and **DMARC** due to the ease of spoofing SMTP messages.
Expand Down Expand Up @@ -685,6 +717,8 @@ submit.cf

## References

- [XBOW – Dead.Letter (CVE-2026-45185): How XBOW Found an Unauthenticated RCE on Exim](https://xbow.com/blog/dead-letter-cve-2026-45185-xbow-found-rce-exim)
- [RFC 3030 – SMTP Service Extensions for Transmission of Large and Binary MIME Messages](https://datatracker.ietf.org/doc/html/rfc3030)
- [https://research.nccgroup.com/2015/06/10/username-enumeration-techniques-and-their-value/](https://research.nccgroup.com/2015/06/10/username-enumeration-techniques-and-their-value/)
- [https://www.reddit.com/r/HowToHack/comments/101it4u/what_could_hacker_do_with_misconfigured_smtp/](https://www.reddit.com/r/HowToHack/comments/101it4u/what_could_hacker_do_with_misconfigured_smtp/)
- [0xdf – HTB/VulnLab JobTwo: Word VBA macro phishing via SMTP → hMailServer credential decryption → Veeam CVE-2023-27532 to SYSTEM](https://0xdf.gitlab.io/2026/01/27/htb-jobtwo.html)
Expand Down