Format string and buffer-overflow in SurgeMail 38k4
#######################################################################
Luigi Auriemma
Application: SurgeMail Mail Server
http://netwinsite.com/surgemail/
Netwin's WebMail
http://netwinsite.com/webmail/
Versions: SurgeMail <= 38k4 and beta 39a
Netwin's WebMail <= 3.1s (only bug A)
Platforms: Windows, Linux, FreeBSD, MacOSX and Solaris
Bugs: A] format string in webmail.exe's page command
B] buffer-overflow in the building of environment strings
Exploitation: remote
Date: 25 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@xxxxxxxxxxxxx
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
SurgeMail is a well known commercial multiplatform mail server which
supports many protocols.
#######################################################################
=======
2) Bugs
=======
----------------------------------------------
A] format string in webmail.exe's page command
----------------------------------------------
The CGI used for the handling of the webmail interface (webmail.exe) is
affected by a format string vulnerability in the function which builds
the error message when a wrong page is requested and passes it directly
to lvprintf without the needed format argument:
"TPL: Failed to Locate Template
{c:\surgemail\webmail\panel\%s%s%s%s%s%s.tpl}{2=No such file or directory}"
Sample URL for exploiting the vulnerability:
http://SERVER/scripts/webmail.exe?page=%n%n%n%s%s%s%s
---------------------------------------------------------
B] buffer-overflow in the building of environment strings
---------------------------------------------------------
A buffer overflow vulnerability is located in the function which
handles the real CGI executables (which must be not confused with the
.cgi virtual files like user.cgi, admin.cgi and so on).
When the server receives a HTTP request for a real CGI (like for
example webmail.exe) it uses a buffer of about 20000 bytes for storing
all the environment strings which will be passed to the called program.
The HTTP fields passed by the client in his request are truncated at
200 bytes for the parameter and 800 for its value and are added as
environment variables (HTTP_parameter=value).
The lack of checks on the size of this environment buffer leads to a
buffer-overflow, anyway although is possible to control some registers
code execution is not certain.
Naturally both the surgemail and the swatch (port 7027) processes are
affected by this vulnerability.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/surgemailz.zip
#######################################################################
======
4) Fix
======
No fix
#######################################################################
---
Luigi Auriemma
http://aluigi.org