Bugtraq mailing list archives
vpopmail-3.4.11 problems
From: hdm () SECUREAUSTIN COM (H D Moore)
Date: Thu, 29 Jun 2000 17:50:16 -0500
The vpopmail package is an extension for Qmail that allows easy management of virtual domains and can use a SQL backend for storing user accounts. The program vchkpw in that package contains a vulnerability in its logging routines. The vchkpw program handles the username/password/domain authorization for Qmail's services, including the pop3 daemon. By passing formatting strings as a username/password when authenticating against the server, an attacker can run arbitrary code on the system with the privileges of the calling process. Vulnerable versions include all releases prior to 4.8 that have been compiled with the --enable-logging=y option. Your system is remotely exploitable if you use vchkpw to authorize users in conjunction with a network service (qmail-popup). The following demonstrates the bug using the Qmail pop3 daemon (qmail-popup): hdm@atrophy:~ > telnet mail.myhost.com 110 Trying A.B.C.D... Connected to mail.myhost.com. Escape character is '^]'. +OK <2334.961909661 () mail myhost com> user %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s +OK pass %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s -ERR aack, child crashed Connection closed by foreign host. hdm@atrophy:~ > The latest release of vpopmail (4.8 - June/27/2000) can be downloaded from http://www.inter7.com/vpopmail/ . All earlier versions were removed from the site to prevent the spread of vulnerable releases. I have heard of a generic exploit for any program with the same type of formatting bug, so please upgrade ASAP. (and no I don't have it so don't ask me ) The problem lies in the fact the syslog function is passed only two arguments, with the second argument containing user supplied data. The syslog function then passes its second argument as the format string and each argument after that as parameters to vsprintf(). So what happens when you call vsprintf() with a fmt string containing printf formatting sequences and no arguments to supply the data for those sequences? Bad things. The system expands those sequences with the next thing off the stack, allowing all sorts of nasty tricks ranging from changing the values of internal variables to executing a shell. The offending code follows: <----[ log_exit() in vchkpw.c ]----> <----------------------------------> void log_exit( int syslog_level, int exit_code, char *fmt, ... ) { char tmpbuf[300]; va_list ap; if ( ENABLE_LOGGING > 0 ) { va_start(ap,fmt); vsprintf(tmpbuf, fmt, ap ); syslog(syslog_level, tmpbuf ); } #ifdef DEBUG vfprintf(stderr, fmt, ap); fprintf(stderr, "\n"); #endif if ( ENABLE_LOGGING > 0 ) { va_end(ap); } exit(exit_code); } <----------------------------------> Please keep in mind that the parameters passed to this function are global 100-byte character arrays, containing the username, domain, password and IP address. When I first found the bug, I was sure that I could overflow tmpbuf by expanding the size of the input fmt buffer with formatting strings. What actually happens is that the formatting strings aren't expanded until they are parsed by vsprintf() inside the syslog() function, instead of the vsprintf() before the syslog(). I want to thank Ken Jones (the maintainer/developer of vpopmail) for a quick response and Lamagra Argamal for his excellent mini-paper on exploiting format bugs. -HD http://www.secureaustin.com http://www.digitaldefense.net
Current thread:
- SecureXpert Advisory [SX-20000620-2], (continued)
- SecureXpert Advisory [SX-20000620-2] SecureXpert DIRECT Sender (Jun 30)
- Re: WuFTPD: Providing *remote* root since at least1994 Bernd Luevelsmeyer (Jun 28)
- Re: WuFTPD: Providing *remote* root since at least1994 Lars Mathiesen (Jun 28)
- Re: WuFTPD: Providing *remote* root since at least1994 Robert Bihlmeyer (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Ben Pfaff (Jun 29)
- Update to Integrity Protection Driver Available IPD (Jun 29)
- Re: WuFTPD: Providing *remote* root since at least1994 Theo de Raadt (Jun 29)
- Buggy ARP handling in Windoze Paul Starzetz (Jun 29)
- Re: Buggy ARP handling in Windoze Jurjen Oskam (Jun 29)
- Re: Buggy ARP handling in Windoze Steven Alexander (Jun 29)
- vpopmail-3.4.11 problems H D Moore (Jun 29)
- CONECTIVA LINUX SECURITY ANNOUNCEMENT - dump Conectiva Security (Jun 30)