# Title: Exim tls-openssl.c — Use-After-Free → unauthenticated Remote Code Execution # CVE: CVE-2023-6553 # Test platform: vulnerable Exim build (<= the unpatched version prior to 4.94.2), configured to accept SMTP with TLS (OpenSSL) # Software version: Exim: versions before 4.94.2 (vulnerable code introduced around Exim 4.94). The issue is especially relevant for builds that provide TLS via OpenSSL. # Trigger step: Prepare an isolated Exim instance built/installed with the vulnerable version and OpenSSL enabled. Take a snapshot. Establish an SMTP session to the server and exercise the TLS negotiation (e.g., EHLO → STARTTLS) so the server uses the OpenSSL TLS code-path. Send a crafted sequence of SMTP commands and payloads that exploit the use-after-free in tls-openssl.c (Qualys’ advisory explains the general exploitation flow — corrupting a gstring-like buffer via server responses and later triggering expand_string() to execute ${run{...}}). The public discussion references use of MAIL FROM sequences around STARTTLS to cause the corruption. Observe oracle indicators: server-side process activity (spawned processes), filesystem changes, or a reverse connection. Collect logs, packet captures, and filesystem snapshots as evidence. # Oracle: Oracle / success indicators: after sending the crafted SMTP/TLS sequence the server will execute attacker-supplied actions (e.g., create files, spawn processes, run ${run{...}} expansions); logs, created files, spawned processes, or a reverse connection are evidence. Qualys describes using MAIL FROM and responses to overwrite data that later triggers expand_string() execution.