<<< Date Index >>>     <<< Thread Index >>>

[2Cents on] vpopmail <= 5.4.2 (sybase vulnerability)



On Tuesday 17 August 2004 13:44, JXrXme ATHIAS wrote:
> Bug: format string and buffer overflow (sybase)
> Product: vpopmail <= 5.4.2 (sybase vulnerability)
> Author: Werro [werro@xxxxxxx]
> Realease Date : 12/08/04
> Risk: Low
> Vendor status: Vendor is in a big shit :)
> Reference: http://web-hack.ru/unl0ck/advisories/
>
>
> Overview:
> vpopmail is a set of programs for creating and managing
> multiple virtual domains on a qmail server.
>
> Details:
> Bugs were founded in SyBase. In vsybase.c file.
>
> -------------------\
>  char dirbuf[156]; 
> \__Vulnerability___________________________________________________ ...    
>                                                                            
>   | if ( strlen(dir) > 0 )                                                 
>               | {                                                          
>                           | sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user);  
>                                       | ^^^^^^^ - buffer overflow          
>                                                   | }else{                 
>                                                               |
> sprintf(dirbuf, "%s/%s", dom_dir, user);                                   
>           | ^^^^^^^ - buffer overflow                                      
>                       | }                                                  
>                                   | ...                                    
>                                               |
>
>  if ( site_size == LARGE_SITE ) {                                          
>            | sprintf( SqlBuf, LARGE_INSERT, domstr,                        
>         | user, pass, pop, gecos, dirbuf, quota);                          
>      | ^^^^^^^ - format string                                             
>   | } else {                                                               
>        | sprintf( SqlBuf, SMALL_INSERT,                                    
>     | SYBASE_DEFAULT_TABLE,  user, domain, pass, pop, gecos, dirbuf,
> quota); | }       ^^^^^^^ - format string 
> ______________________________________________|
> ----------------------------------------/
> Two vulnerability : format string and buffer overflow.
> Latest Version is Vulnerable.
>
> To avoid this bugs, you must use snprintf() with format like "%s".
>
> 12/08/04.
> (c) by unl0ck team.
> http://web-hack.ru/unl0ck
Hi,

A quick look appears to show that the user parameter is limited to 32 bytes 
(checked and assigned before, pw_name), and pw_dir to 160 bytes, so it all 
depends on the VPOPMAILDIR for exploitation I guess...
Though you should note that pw_dir is not really controlled by the user, but 
rather by the OS's mail dir settings, usually Mail/ ... 

Making this exploit very hard to exploit, but possible on some systems.

Another quick look appears to show that there is no format string 
vulnerability as both SMALL_INSERT and LARGE_INSERT are:
#define LARGE_INSERT "insert into  %s \
( pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell ) \
values \
( '%s', '%s', %d, 0, '%s', '%s', '%s' )"

#define SMALL_INSERT "insert into  %s \
( pw_name, pw_domain, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell ) 
\
values \
( '%s', '%s', '%s', %d, 0, '%s', '%s', '%s' )"

So a format is provided for both functions.

-- 
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.

Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441