[2Cents on] vpopmail <= 5.4.2 (sybase vulnerability)
On Tuesday 17 August 2004 13:44, JXrXme ATHIAS wrote:
> Bug: format string and buffer overflow (sybase)
> Product: vpopmail <= 5.4.2 (sybase vulnerability)
> Author: Werro [werro@xxxxxxx]
> Realease Date : 12/08/04
> Risk: Low
> Vendor status: Vendor is in a big shit :)
> Reference: http://web-hack.ru/unl0ck/advisories/
>
>
> Overview:
> vpopmail is a set of programs for creating and managing
> multiple virtual domains on a qmail server.
>
> Details:
> Bugs were founded in SyBase. In vsybase.c file.
>
> -------------------\
> char dirbuf[156];
> \__Vulnerability___________________________________________________ ...
>
> | if ( strlen(dir) > 0 )
> | {
> | sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user);
> | ^^^^^^^ - buffer overflow
> | }else{
> |
> sprintf(dirbuf, "%s/%s", dom_dir, user);
> | ^^^^^^^ - buffer overflow
> | }
> | ...
> |
>
> if ( site_size == LARGE_SITE ) {
> | sprintf( SqlBuf, LARGE_INSERT, domstr,
> | user, pass, pop, gecos, dirbuf, quota);
> | ^^^^^^^ - format string
> | } else {
> | sprintf( SqlBuf, SMALL_INSERT,
> | SYBASE_DEFAULT_TABLE, user, domain, pass, pop, gecos, dirbuf,
> quota); | } ^^^^^^^ - format string
> ______________________________________________|
> ----------------------------------------/
> Two vulnerability : format string and buffer overflow.
> Latest Version is Vulnerable.
>
> To avoid this bugs, you must use snprintf() with format like "%s".
>
> 12/08/04.
> (c) by unl0ck team.
> http://web-hack.ru/unl0ck
Hi,
A quick look appears to show that the user parameter is limited to 32 bytes
(checked and assigned before, pw_name), and pw_dir to 160 bytes, so it all
depends on the VPOPMAILDIR for exploitation I guess...
Though you should note that pw_dir is not really controlled by the user, but
rather by the OS's mail dir settings, usually Mail/ ...
Making this exploit very hard to exploit, but possible on some systems.
Another quick look appears to show that there is no format string
vulnerability as both SMALL_INSERT and LARGE_INSERT are:
#define LARGE_INSERT "insert into %s \
( pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell ) \
values \
( '%s', '%s', %d, 0, '%s', '%s', '%s' )"
#define SMALL_INSERT "insert into %s \
( pw_name, pw_domain, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell )
\
values \
( '%s', '%s', '%s', %d, 0, '%s', '%s', '%s' )"
So a format is provided for both functions.
--
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.
Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441