![[LWN Logo]](/images/lc.png) |
|
![[Timeline]](/images/Included.png) |
Date: Thu, 29 Jun 2000 17:50:16 -0500
From: H D Moore <hdm@SECUREAUSTIN.COM>
Subject: vpopmail-3.4.11 problems
To: BUGTRAQ@SECURITYFOCUS.COM
The vpopmail package is an extension for Qmail that allows easy
management of virtual domains and can use a SQL backend for storing
user accounts. The program vchkpw in that package contains a
vulnerability in its logging routines.
The vchkpw program handles the username/password/domain authorization
for Qmail's services, including the pop3 daemon. By passing formatting
strings as a username/password when authenticating against the server,
an attacker can run arbitrary code on the system with the privileges of
the calling process.
Vulnerable versions include all releases prior to 4.8 that have been
compiled
with the --enable-logging=y option. Your system is remotely exploitable
if you
use vchkpw to authorize users in conjunction with a network service
(qmail-popup).
The following demonstrates the bug using the Qmail pop3 daemon
(qmail-popup):
hdm@atrophy:~ > telnet mail.myhost.com 110
Trying A.B.C.D...
Connected to mail.myhost.com.
Escape character is '^]'.
+OK <2334.961909661@mail.myhost.com>
user %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
+OK
pass %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
-ERR aack, child crashed
Connection closed by foreign host.
hdm@atrophy:~ >
The latest release of vpopmail (4.8 - June/27/2000) can be downloaded
from http://www.inter7.com/vpopmail/ . All earlier versions were
removed
from the site to prevent the spread of vulnerable releases. I have heard
of a generic exploit for any program with the same type of formatting
bug,
so please upgrade ASAP. (and no I don't have it so don't ask me )
The problem lies in the fact the syslog function is passed only two
arguments, with the second argument containing user supplied data. The
syslog function then passes its second argument as the format string and
each argument after that as parameters to vsprintf(). So what happens
when you call vsprintf() with a fmt string containing printf formatting
sequences and no arguments to supply the data for those sequences? Bad
things. The system expands those sequences with the next thing off the
stack, allowing all sorts of nasty tricks ranging from changing the
values of internal variables to executing a shell. The offending code
follows:
<----[ log_exit() in vchkpw.c ]---->
<---------------------------------->
void log_exit( int syslog_level, int exit_code, char *fmt, ... )
{
char tmpbuf[300];
va_list ap;
if ( ENABLE_LOGGING > 0 ) {
va_start(ap,fmt);
vsprintf(tmpbuf, fmt, ap );
syslog(syslog_level, tmpbuf );
}
#ifdef DEBUG
vfprintf(stderr, fmt, ap);
fprintf(stderr, "\n");
#endif
if ( ENABLE_LOGGING > 0 ) {
va_end(ap);
}
exit(exit_code);
}
<---------------------------------->
Please keep in mind that the parameters passed to this function are
global
100-byte character arrays, containing the username, domain, password and
IP
address. When I first found the bug, I was sure that I could overflow
tmpbuf by
expanding the size of the input fmt buffer with formatting strings.
What actually
happens is that the formatting strings aren't expanded until they are
parsed by
vsprintf() inside the syslog() function, instead of the vsprintf()
before the
syslog().
I want to thank Ken Jones (the maintainer/developer of vpopmail) for a
quick
response and Lamagra Argamal for his excellent mini-paper on exploiting
format
bugs.
-HD
http://www.secureaustin.com
http://www.digitaldefense.net