Home page logo
/

bugtraq logo Bugtraq mailing list archives

[2Cents on] vpopmail <= 5.4.2 (sybase vulnerability)
From: bugtraq () beyondsecurity com
Date: Wed, 18 Aug 2004 13:47:12 +0300

On Tuesday 17 August 2004 13:44, JXrXme ATHIAS wrote:
Bug: format string and buffer overflow (sybase)
Product: vpopmail <= 5.4.2 (sybase vulnerability)
Author: Werro [werro () list ru]
Realease Date : 12/08/04
Risk: Low
Vendor status: Vendor is in a big shit :)
Reference: http://web-hack.ru/unl0ck/advisories/


Overview:
vpopmail is a set of programs for creating and managing
multiple virtual domains on a qmail server.

Details:
Bugs were founded in SyBase. In vsybase.c file.

-------------------\
 char dirbuf[156]; 
\__Vulnerability___________________________________________________ ...    
                                                                           
  | if ( strlen(dir) > 0 )                                                 
              | {                                                          
                          | sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user);  
                                      | ^^^^^^^ - buffer overflow          
                                                  | }else{                 
                                                              |
sprintf(dirbuf, "%s/%s", dom_dir, user);                                   
          | ^^^^^^^ - buffer overflow                                      
                      | }                                                  
                                  | ...                                    
                                              |

 if ( site_size == LARGE_SITE ) {                                          
           | sprintf( SqlBuf, LARGE_INSERT, domstr,                        
        | user, pass, pop, gecos, dirbuf, quota);                          
     | ^^^^^^^ - format string                                             
  | } else {                                                               
       | sprintf( SqlBuf, SMALL_INSERT,                                    
    | SYBASE_DEFAULT_TABLE,  user, domain, pass, pop, gecos, dirbuf,
quota); | }       ^^^^^^^ - format string 
______________________________________________|
----------------------------------------/
Two vulnerability : format string and buffer overflow.
Latest Version is Vulnerable.

To avoid this bugs, you must use snprintf() with format like "%s".

12/08/04.
(c) by unl0ck team.
http://web-hack.ru/unl0ck
Hi,

A quick look appears to show that the user parameter is limited to 32 bytes 
(checked and assigned before, pw_name), and pw_dir to 160 bytes, so it all 
depends on the VPOPMAILDIR for exploitation I guess...
Though you should note that pw_dir is not really controlled by the user, but 
rather by the OS's mail dir settings, usually Mail/ ... 

Making this exploit very hard to exploit, but possible on some systems.

Another quick look appears to show that there is no format string 
vulnerability as both SMALL_INSERT and LARGE_INSERT are:
#define LARGE_INSERT "insert into  %s \
( pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell ) \
values \
( '%s', '%s', %d, 0, '%s', '%s', '%s' )"

#define SMALL_INSERT "insert into  %s \
( pw_name, pw_domain, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell ) 
\
values \
( '%s', '%s', '%s', %d, 0, '%s', '%s', '%s' )"

So a format is provided for both functions.

-- 
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.

Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault