lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200401200257.i0K2v6mn022145@gfn.org>
Date: Mon, 19 Jan 2004 21:57:06 -0500
From: Scott Gifford <sgifford@...pectclass.com>
To: Serafino Sorrenti <ml@...rrenti.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: Lame crash in qmail-smtpd and memory overwrite according to gdb, yet still qmail much better than windows


Serafino Sorrenti <ml@...rrenti.com> writes:

> http://www.guninski.com/qmailcrash.html
> 
> 
> Georgi Guninski security advisory #65, 2004
> 
> Lame crash in qmail-smtpd and memory overwrite according to gdb, yet
> still qmail much better than windows
> 
> Systems affected:
> qmail 1.03 on linux, don't know about other OSes.
> 
> 
> Risk: Unknown. maybe so, maybe no.
> Date: 15 January 2004

We've had extensive discussion about this on the qmail list, and it
seems quite likely that this is not an exploitable bug.  The bug is a
signed integer wrapping from positive to negative and being used as an
array subscript.  Immediately after it wraps, qmail-smtpd references a
memory address which is way out-of-bounds and triggers SIGSEGV.  There
doesn't appear to be a way to cause a different subscript to be used
which would allow any real memory locations to be overwritten.

The apparent memory overwrite seems to be an artifact of a gdb bug,
and not a memory overwrite at all.  Only some people (not including
me) have been able to reproduce it, and nobody's been able to make
qmail actually execute anything fishy.  It sounds quite similar to the
gdb bug reported in Debian bug 154154:

    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=154154

There are a number of very simple unofficial patches available.  The
fix is included with a few others in a patch by James Craig Burley,
which I've personally tested.  It's available at:

    http://www.jcb-sc.com/qmail/patches/qmail-isoc.patch

More information and discussion are available in the recent qmail list
archives:

    http://www.ornl.gov/lists/mailing-lists/qmail/2004/01/maillist.html

------ScottG.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ