[UNIX] Perdition IMAP Proxy str_vwrite Format String Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Perdition IMAP Proxy str_vwrite Format String Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.vergenet.net/> Perdition is "a fully featured POP3 and IMAP4
proxy server. It is able to handle both SSL and non-SSL connections and
redirect users to a real-server based on a database lookup". Perdition
IMAPD is affected by a format string bug in one of its IMAP output-string
formatting functions. The bug allows the execution of arbitrary code on
the affected server. A successful exploit does not require prior
authentication.

DETAILS

Vulnerable Systems:
* Perdition Mail Retrieval Proxy version 1.17 and prior

Immune Systems:
* Perdition Mail Retrieval Proxy version 1.17.1

Vulnerability details:
1.) In certain situations, the IMAP-Tag (first part of IMAP-command) is
copied into a character buffer without validation. This buffer is then
ultimately passed to vsnprintf() as a format string.

2.) Before the call to vsnprintf, a validation of the format string is
performed as a protection against format string injection.

From str.c:
++++++++++++++++++++++++++++++++++++
168: static const char *__str_vwrite(io_t * io, const flag_t flag,
169: const size_t nargs, const char *fmt, va_list ap,
170: int *bytes)
171: {
(...)
186: fmt_args = 0;
187: for (place = 0; fmt[place] != '\0'; place++) {
188: if (fmt[place] == '%')
189: fmt[place + 1] == '%' ? place++ : fmt_args++;
190: }
191: if (fmt_args != nargs) {
(...)
195: VANESSA_LOGGER_DEBUG_UNSAFE("nargs and fmt mismatch: "
196: "%d args requested, %d args in format",
197: nargs, fmt_args);
198: return (NULL);
199: }
200:
201: *bytes = vsnprintf(__str_write_buf, STR_WRITE_BUF_LEN - 2, fmt,
ap);
++++++++++++++++++++++++++++++++++++

In line 187-191, the actual number of format identifiers is compared to
supposed number given in the parameter nargs. This check can however be
bypassed by injecting a null-byte in the end of the IMAP-tag. The
null-byte cuts of the rest of the string (with the original format
identifiers intended by the programmer). Therefore it is possible to
inject 'nargs' arbitrary format identifiers within the IMAP tag. In
practice, only a single format identifier can be controlled by the
attacker. This is not very nice to exploit, however arbitrary code
execution is still possible. For example, multiple successive
single-byte-writes on a global function pointer can be used to gain
control of the instruction pointer. Due to the nature of the
vulnerability, a good exploit can bypass most OS security features
(non-exec-stack, ASLR, etc.) as well as compiler features (stack
canaries,...).

Proof-of-Concept
The following can be used to test for the vulnerability:
perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143

Vendor status:
Vendor notified: 2007-10-12
Vendor response: 2007-10-12
Patch available: 2007-10-31


ADDITIONAL INFORMATION

The information has been provided by <mailto:research@xxxxxxxxxxxxxxx>
Bernhard Mueller.
The original article can be found at:
<http://www.sec-consult.com/300.html> http://www.sec-consult.com/300.html



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages

  • [UNIX] CDE Mailer argv[0] Format String
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... CDE Mailer suffers from a format string vulnerability due to improper ... Solaris implementation of CDE Mailer. ...
    (Securiteam)
  • [UNIX] Dropbear SSH Server Format String Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A remotely exploitable format string vulnerability exists in the default ... configuration of the Dropbear SSH Server up until version 0.35, ... will fail before the vulnerable code is executed, but the methodname may ...
    (Securiteam)
  • [UNIX] IBM AIX auditselect Local Format String Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Local exploitation of a format string vulnerability in the auditselect ... The vulnerability specifically exists due to an improperly used formatted ... The vendor has not released a patch for this issue, however, the following ...
    (Securiteam)
  • [EXPL] HP-UX Swask Format String Local Root Exploit
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... HP-UX 'swask' contains an exploitable format string vulnerability. ...
    (Securiteam)
  • [NT] Tftpd SEND and GET Format String Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A format string vulnerability in Tftpd32 causes DoS when a malformed SEND ...
    (Securiteam)