Date: Thu, 29 Jun 2000 17:50:16 -0500 From: H D Moore <hdm@SECUREAUSTIN.COM> Subject: vpopmail-3.4.11 problems To: BUGTRAQ@SECURITYFOCUS.COM The vpopmail package is an extension for Qmail that allows easy management of virtual domains and can use a SQL backend for storing user accounts. The program vchkpw in that package contains a vulnerability in its logging routines. The vchkpw program handles the username/password/domain authorization for Qmail's services, including the pop3 daemon. By passing formatting strings as a username/password when authenticating against the server, an attacker can run arbitrary code on the system with the privileges of the calling process. Vulnerable versions include all releases prior to 4.8 that have been compiled with the --enable-logging=y option. Your system is remotely exploitable if you use vchkpw to authorize users in conjunction with a network service (qmail-popup). The following demonstrates the bug using the Qmail pop3 daemon (qmail-popup): hdm@atrophy:~ > telnet mail.myhost.com 110 Trying A.B.C.D... Connected to mail.myhost.com. Escape character is '^]'. +OK <2334.961909661@mail.myhost.com> user %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s +OK pass %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s -ERR aack, child crashed Connection closed by foreign host. hdm@atrophy:~ > The latest release of vpopmail (4.8 - June/27/2000) can be downloaded from http://www.inter7.com/vpopmail/ . All earlier versions were removed from the site to prevent the spread of vulnerable releases. I have heard of a generic exploit for any program with the same type of formatting bug, so please upgrade ASAP. (and no I don't have it so don't ask me ) The problem lies in the fact the syslog function is passed only two arguments, with the second argument containing user supplied data. The syslog function then passes its second argument as the format string and each argument after that as parameters to vsprintf(). So what happens when you call vsprintf() with a fmt string containing printf formatting sequences and no arguments to supply the data for those sequences? Bad things. The system expands those sequences with the next thing off the stack, allowing all sorts of nasty tricks ranging from changing the values of internal variables to executing a shell. The offending code follows: <----[ log_exit() in vchkpw.c ]----> <----------------------------------> void log_exit( int syslog_level, int exit_code, char *fmt, ... ) { char tmpbuf[300]; va_list ap; if ( ENABLE_LOGGING > 0 ) { va_start(ap,fmt); vsprintf(tmpbuf, fmt, ap ); syslog(syslog_level, tmpbuf ); } #ifdef DEBUG vfprintf(stderr, fmt, ap); fprintf(stderr, "\n"); #endif if ( ENABLE_LOGGING > 0 ) { va_end(ap); } exit(exit_code); } <----------------------------------> Please keep in mind that the parameters passed to this function are global 100-byte character arrays, containing the username, domain, password and IP address. When I first found the bug, I was sure that I could overflow tmpbuf by expanding the size of the input fmt buffer with formatting strings. What actually happens is that the formatting strings aren't expanded until they are parsed by vsprintf() inside the syslog() function, instead of the vsprintf() before the syslog(). I want to thank Ken Jones (the maintainer/developer of vpopmail) for a quick response and Lamagra Argamal for his excellent mini-paper on exploiting format bugs. -HD http://www.secureaustin.com http://www.digitaldefense.net