TUCoPS :: Unix :: General :: vpmail-1.htm


TUCoPS :: Unix :: General :: vpmail-1.htm

Vpopmail - run arbitrary code 
Vulnerability
 vpopmail
Affected
 vpopmail-3.4.11
Description
 H.D. Moore found following. The vpopmail package is an extension
 for Qmail that allows easy management of virtual domains and can
 use a SQL backend for storing user accounts. The program vchkpw
 in that package contains a vulnerability in its logging routines.
 The vchkpw program handles the username/password/domain
 authorization for Qmail's services, including the pop3 daemon. By
 passing formatting strings as a username/password when
 authenticating against the server, an attacker can run arbitrary
 code on the system with the privileges of the calling process.
 Vulnerable versions include all releases prior to 4.8 that have
 been compiled with the --enable-logging=y option. Your system is
 remotely exploitable if you use vchkpw to authorize users in
 conjunction with a network service (qmail-popup).
 The following demonstrates the bug using the Qmail pop3 daemon
 (qmail-popup):
 hdm@atrophy:~> telnet mail.myhost.com 110
 Trying A.B.C.D...
 Connected to mail.myhost.com.
 Escape character is '^]'.
 +OK <2334.961909661@mail.myhost.com>
 user %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
 +OK
 pass %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
 -ERR aack, child crashed
 Connection closed by foreign host.
 hdm@atrophy:~>
 The problem lies in the fact the syslog function is passed only
 two arguments, with the second argument containing user supplied
 data. The syslog function then passes its second argument as the
 format string and each argument after that as parameters to
 vsprintf(). So what happens when you call vsprintf() with a fmt
 string containing printf formatting sequences and no arguments to
 supply the data for those sequences? Bad things. The system
 expands those sequences with the next thing off the stack,
 allowing all sorts of nasty tricks ranging from changing the
 values of internal variables to executing a shell. The offending
 code follows:
 <----[ log_exit() in vchkpw.c ]---->
 <---------------------------------->
 
 void log_exit( int syslog_level, int exit_code, char *fmt, ... )
 {
 char tmpbuf[300];
	 va_list ap;
 
 
	 if ( ENABLE_LOGGING> 0 ) {
		 va_start(ap,fmt);
		 vsprintf(tmpbuf, fmt, ap );
		 syslog(syslog_level, tmpbuf );
	 }
 
 #ifdef DEBUG
	 vfprintf(stderr, fmt, ap);
	 fprintf(stderr, "\n");
 #endif
 
	 if ( ENABLE_LOGGING> 0 ) {
		 va_end(ap);
	 }
 
	 exit(exit_code);
 }
 Please keep in mind that the parameters passed to this function
 are global 100-byte character arrays, containing the username,
 domain, password and IP address. What actually happens is that
 the formatting strings aren't expanded until they are parsed by
 vsprintf() inside the syslog() function, instead of the vsprintf()
 before the syslog().
Solution
 The latest release of vpopmail (4.8 - June/27/2000) can be
 downloaded from
 http://www.inter7.com/vpopmail/
 All earlier versions were removed from the site to prevent the
 spread of vulnerable releases.

AltStyle によって変換されたページ (->オリジナル) /

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH