IIL Advisory: Format String bug in Null Webmail (0.6.3)

[DownBload <downbload () hotmail com>]

                 [ Illegal Instruction Labs Advisory ]
[-------------------------------------------------------------------------]
Advisory name: Format String bug in Null Webmail (0.6.3)
Advisory number: 7
Application: Null Webmail 0.6.3
Author: Dan Cahill
E-mail: cahill () nulllogic com
Homepage: http://http://www.nulllogic.com/webmail/
Date: 1.07.2002
Impact: I don't know (yet)
Tested on: nowhere
Discovered by: DownBload                                                
Mail me @: downbload () hotmail com     




======[ Overview        

Null Webmail is CGI interface to SMTP & POP3 server (you can read and 
send mail with your browser). It is written in C. You can find Null 
Webmail on sourceforge.




======[ Problem         

Null Webmail has format string bug in logdata() and wmprintf(), but
logdata() is inside /* */, so logdata() isn't interesting to us. 

Here comes the buggy code:

---[ wmserver.c
...
/*
void logdata(const char *format, ...)  /* <--- NOT INTERESTING */
{
        char logbuffer[1024];
        char file[200];
        va_list ap;
        FILE *fp;

#ifdef WIN32
        snprintf(file, sizeof(file)-1, "C:\\webmail.log");
#else
        snprintf(file, sizeof(file)-1, "/tmp/webmail.log");
#endif
        fp=fopen(file, "a");
        if (fp!=NULL) {
                va_start(ap, format);
                vsnprintf(logbuffer, sizeof(logbuffer)-1, format, ap);
                va_end(ap);
                fprintf(fp, "%s", logbuffer);
                fclose(fp);
        }
}
*/


int wmprintf(const char *format, ...)    /* <--- INTERESTING FUNCTION */
{
        char buffer[1024];
        va_list ap;

        va_start(ap, format);
        vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING 
        va_end(ap);                     
        send(wmsocket, buffer, strlen(buffer), 0);
//      logdata (">> %s", buffer);
        return 0;
}
...

---[ call wmprinf() 

...
wmprintf("USER %s\r\n", wmusername);
...
wmprintf("PASS %s\r\n", wmpassword);
...
wmprintf("MAIL From: %s\r\n", ptemp);  
...
wmprintf("RCPT To: <%s>\r\n", msgaddr);
...
wmprintf("From: %s\r\n", wmaddress);
wmprintf("To: %s\r\n", msgto);
...
wmprintf("Subject: %s\r\n", msgsubject);
...
etc.

Here we have few wmprintf() calls, and I think that we can put our 
'NASTY %sTRING' in all that variables :).




======[ Example

Can't test this bug!!!
If I'm wrong about this format string bug in Null Webmail, I'm very sorry.




======[ Greetz 

Greetz goes to #hr.hackers & #linux <irc.carnet.hr>. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, Fr1c,
phreax, harlequin, LekaMan, Astral and www.active-security.org (NetZero & 
Paradox).