[thelist] [Fwd: vpopmail-3.4.11 problems]
Anthony Baratta
Anthony at Baratta.com
Fri Jun 30 19:34:26 CDT 2000
FYI...
I found this on BugTraq. I think a few people here are using vpopmail.
H D Moore wrote:
>
> The vpopmail package is an extension for Qmail that allows easy
> management of virtual domains and can use a SQL backend for storing
> user accounts. The program vchkpw in that package contains a
> vulnerability in its logging routines.
>
> The vchkpw program handles the username/password/domain authorization
> for Qmail's services, including the pop3 daemon. By passing formatting
> strings as a username/password when authenticating against the server,
> an attacker can run arbitrary code on the system with the privileges of
> the calling process.
>
> Vulnerable versions include all releases prior to 4.8 that have been
> compiled
> with the --enable-logging=y option. Your system is remotely exploitable
> if you
> use vchkpw to authorize users in conjunction with a network service
> (qmail-popup).
>
> The following demonstrates the bug using the Qmail pop3 daemon
> (qmail-popup):
>
> hdm at atrophy:~ > telnet mail.myhost.com 110
> Trying A.B.C.D...
> Connected to mail.myhost.com.
> Escape character is '^]'.
> +OK <2334.961909661 at mail.myhost.com>
> user %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
> +OK
> pass %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
> -ERR aack, child crashed
> Connection closed by foreign host.
> hdm at atrophy:~ >
>
> The latest release of vpopmail (4.8 - June/27/2000) can be downloaded
> from http://www.inter7.com/vpopmail/ . All earlier versions were
> removed
> from the site to prevent the spread of vulnerable releases. I have heard
> of a generic exploit for any program with the same type of formatting
> bug,
> so please upgrade ASAP. (and no I don't have it so don't ask me )
>
> The problem lies in the fact the syslog function is passed only two
> arguments, with the second argument containing user supplied data. The
> syslog function then passes its second argument as the format string and
> each argument after that as parameters to vsprintf(). So what happens
> when you call vsprintf() with a fmt string containing printf formatting
> sequences and no arguments to supply the data for those sequences? Bad
> things. The system expands those sequences with the next thing off the
> stack, allowing all sorts of nasty tricks ranging from changing the
> values of internal variables to executing a shell. The offending code
> follows:
>
> <----[ log_exit() in vchkpw.c ]---->
> <---------------------------------->
>
> void log_exit( int syslog_level, int exit_code, char *fmt, ... )
> {
> char tmpbuf[300];
> va_list ap;
>
> if ( ENABLE_LOGGING > 0 ) {
> va_start(ap,fmt);
> vsprintf(tmpbuf, fmt, ap );
> syslog(syslog_level, tmpbuf );
> }
>
> #ifdef DEBUG
> vfprintf(stderr, fmt, ap);
> fprintf(stderr, "\n");
> #endif
>
> if ( ENABLE_LOGGING > 0 ) {
> va_end(ap);
> }
>
> exit(exit_code);
> }
>
> <---------------------------------->
>
> Please keep in mind that the parameters passed to this function are
> global
> 100-byte character arrays, containing the username, domain, password and
> IP
> address. When I first found the bug, I was sure that I could overflow
> tmpbuf by
> expanding the size of the input fmt buffer with formatting strings.
> What actually
> happens is that the formatting strings aren't expanded until they are
> parsed by
> vsprintf() inside the syslog() function, instead of the vsprintf()
> before the
> syslog().
>
> I want to thank Ken Jones (the maintainer/developer of vpopmail) for a
> quick
> response and Lamagra Argamal for his excellent mini-paper on exploiting
> format
> bugs.
>
> -HD
>
> http://www.secureaustin.com
> http://www.digitaldefense.net
More information about the thelist
mailing list