vpopmail <= 5.4.2 (sybase vulnerability)
Bug: format string and buffer overflow (sybase)
Product: vpopmail <= 5.4.2 (sybase vulnerability)
Author: Werro [werro@xxxxxxx]
Realease Date : 12/08/04
Risk: Low
Vendor status: Vendor is in a big shit :)
Reference: http://web-hack.ru/unl0ck/advisories/
Overview:
vpopmail is a set of programs for creating and managing
multiple virtual domains on a qmail server.
Details:
Bugs were founded in SyBase. In vsybase.c file.
-------------------\
char dirbuf[156];
\__Vulnerability___________________________________________________
...
|
if ( strlen(dir) > 0 )
|
{
|
sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user);
|
^^^^^^^ - buffer overflow
|
}else{
|
sprintf(dirbuf, "%s/%s", dom_dir, user);
|
^^^^^^^ - buffer overflow
|
}
|
...
|
|
if ( site_size == LARGE_SITE ) {
|
sprintf( SqlBuf, LARGE_INSERT, domstr,
|
user, pass, pop, gecos, dirbuf, quota);
|
^^^^^^^ - format string
|
} else {
|
sprintf( SqlBuf, SMALL_INSERT,
|
SYBASE_DEFAULT_TABLE, user, domain, pass, pop, gecos, dirbuf,
quota); |
} ^^^^^^^ - format string
______________________________________________|
----------------------------------------/
Two vulnerability : format string and buffer overflow.
Latest Version is Vulnerable.
To avoid this bugs, you must use snprintf() with format like "%s".
12/08/04.
(c) by unl0ck team.
http://web-hack.ru/unl0ck