Bugtraq mailing list archives
[2Cents on] vpopmail <= 5.4.2 (sybase vulnerability)
From: bugtraq () beyondsecurity com
Date: Wed, 18 Aug 2004 13:47:12 +0300
On Tuesday 17 August 2004 13:44, JXrXme ATHIAS wrote:
Bug: format string and buffer overflow (sybase) Product: vpopmail <= 5.4.2 (sybase vulnerability) Author: Werro [werro () list ru] Realease Date : 12/08/04 Risk: Low Vendor status: Vendor is in a big shit :) Reference: http://web-hack.ru/unl0ck/advisories/ Overview: vpopmail is a set of programs for creating and managing multiple virtual domains on a qmail server. Details: Bugs were founded in SyBase. In vsybase.c file. -------------------\ char dirbuf[156]; \__Vulnerability___________________________________________________ ... | if ( strlen(dir) > 0 ) | { | sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user); | ^^^^^^^ - buffer overflow | }else{ | sprintf(dirbuf, "%s/%s", dom_dir, user); | ^^^^^^^ - buffer overflow | } | ... | if ( site_size == LARGE_SITE ) { | sprintf( SqlBuf, LARGE_INSERT, domstr, | user, pass, pop, gecos, dirbuf, quota); | ^^^^^^^ - format string | } else { | sprintf( SqlBuf, SMALL_INSERT, | SYBASE_DEFAULT_TABLE, user, domain, pass, pop, gecos, dirbuf, quota); | } ^^^^^^^ - format string ______________________________________________| ----------------------------------------/ Two vulnerability : format string and buffer overflow. Latest Version is Vulnerable. To avoid this bugs, you must use snprintf() with format like "%s". 12/08/04. (c) by unl0ck team. http://web-hack.ru/unl0ck
Hi, A quick look appears to show that the user parameter is limited to 32 bytes (checked and assigned before, pw_name), and pw_dir to 160 bytes, so it all depends on the VPOPMAILDIR for exploitation I guess... Though you should note that pw_dir is not really controlled by the user, but rather by the OS's mail dir settings, usually Mail/ ... Making this exploit very hard to exploit, but possible on some systems. Another quick look appears to show that there is no format string vulnerability as both SMALL_INSERT and LARGE_INSERT are: #define LARGE_INSERT "insert into %s \ ( pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell ) \ values \ ( '%s', '%s', %d, 0, '%s', '%s', '%s' )" #define SMALL_INSERT "insert into %s \ ( pw_name, pw_domain, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell ) \ values \ ( '%s', '%s', '%s', %d, 0, '%s', '%s', '%s' )" So a format is provided for both functions. -- Thanks Noam Rathaus CTO Beyond Security Ltd. Join the SecuriTeam community on Orkut: http://www.orkut.com/Community.aspx?cmm=44441
Current thread:
- vpopmail <= 5.4.2 (sybase vulnerability) Jérôme (Aug 17)
- [2Cents on] vpopmail <= 5.4.2 (sybase vulnerability) bugtraq (Aug 20)