<<< Date Index >>>     <<< Thread Index >>>

vpopmail <= 5.4.2 (sybase vulnerability)




Bug: format string and buffer overflow (sybase)
Product: vpopmail <= 5.4.2 (sybase vulnerability)
Author: Werro [werro@xxxxxxx]
Realease Date : 12/08/04
Risk: Low
Vendor status: Vendor is in a big shit :)
Reference: http://web-hack.ru/unl0ck/advisories/


Overview:
vpopmail is a set of programs for creating and managing
multiple virtual domains on a qmail server.

Details:
Bugs were founded in SyBase. In vsybase.c file.

-------------------\
 char dirbuf[156];  
\__Vulnerability___________________________________________________
 ...                                                                            
       |
 if ( strlen(dir) > 0 )                                                         
       |
 {                                                                              
       |
 sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user);                                  
       |
 ^^^^^^^ - buffer overflow                                                      
       |
 }else{                                                                         
       |
 sprintf(dirbuf, "%s/%s", dom_dir, user);                                       
       |
 ^^^^^^^ - buffer overflow                                                      
       |
 }                                                                              
       |
 ...                                                                            
       |
                                                                                
       |
 if ( site_size == LARGE_SITE ) {                                               
       |
                sprintf( SqlBuf, LARGE_INSERT, domstr,                          
       |
                user, pass, pop, gecos, dirbuf, quota);                         
       |
                ^^^^^^^ - format string                                         
       |
        } else {                                                                
       |
                sprintf( SqlBuf, SMALL_INSERT,                                  
       |
                SYBASE_DEFAULT_TABLE,  user, domain, pass, pop, gecos, dirbuf, 
quota); |
        }       ^^^^^^^ - format string  
______________________________________________|
----------------------------------------/
Two vulnerability : format string and buffer overflow.
Latest Version is Vulnerable.

To avoid this bugs, you must use snprintf() with format like "%s".

12/08/04.
(c) by unl0ck team.
http://web-hack.ru/unl0ck