Home page logo
/

bugtraq logo Bugtraq mailing list archives

vpopmail <= 5.4.2 (sybase vulnerability)
From: "Jérôme" ATHIAS <jerome.athias () caramail com>
Date: 17 Aug 2004 10:44:52 -0000



Bug: format string and buffer overflow (sybase)
Product: vpopmail <= 5.4.2 (sybase vulnerability)
Author: Werro [werro () list ru]
Realease Date : 12/08/04
Risk: Low
Vendor status: Vendor is in a big shit :)
Reference: http://web-hack.ru/unl0ck/advisories/


Overview:
vpopmail is a set of programs for creating and managing
multiple virtual domains on a qmail server.

Details:
Bugs were founded in SyBase. In vsybase.c file.

-------------------\
 char dirbuf[156];  \__Vulnerability___________________________________________________
 ...                                                                                   |
 if ( strlen(dir) > 0 )                                                                |
 {                                                                                     |
 sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user);                                         |
 ^^^^^^^ - buffer overflow                                                             |
 }else{                                                                                |
 sprintf(dirbuf, "%s/%s", dom_dir, user);                                              |
 ^^^^^^^ - buffer overflow                                                             |
 }                                                                                     |
 ...                                                                                   |
                                                                                       |
 if ( site_size == LARGE_SITE ) {                                                      |
                sprintf( SqlBuf, LARGE_INSERT, domstr,                                 |
                user, pass, pop, gecos, dirbuf, quota);                                |
                ^^^^^^^ - format string                                                |
        } else {                                                                       |
                sprintf( SqlBuf, SMALL_INSERT,                                         |
                SYBASE_DEFAULT_TABLE,  user, domain, pass, pop, gecos, dirbuf, quota); |
        }       ^^^^^^^ - format string  ______________________________________________|
----------------------------------------/
Two vulnerability : format string and buffer overflow.
Latest Version is Vulnerable.

To avoid this bugs, you must use snprintf() with format like "%s".

12/08/04.
(c) by unl0ck team.
http://web-hack.ru/unl0ck


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]