lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200408181347.12199.bugtraq@beyondsecurity.com>
Date: Wed, 18 Aug 2004 13:47:12 +0300
From: bugtraq@...ondsecurity.com
To: bugtraq@...urityfocus.com
Subject: [2Cents on] vpopmail <= 5.4.2 (sybase vulnerability)


On Tuesday 17 August 2004 13:44, JXrXme ATHIAS wrote:
> Bug: format string and buffer overflow (sybase)
> Product: vpopmail <= 5.4.2 (sybase vulnerability)
> Author: Werro [werro@...t.ru]
> Realease Date : 12/08/04
> Risk: Low
> Vendor status: Vendor is in a big shit :)
> Reference: http://web-hack.ru/unl0ck/advisories/
>
>
> Overview:
> vpopmail is a set of programs for creating and managing
> multiple virtual domains on a qmail server.
>
> Details:
> Bugs were founded in SyBase. In vsybase.c file.
>
> -------------------\
>  char dirbuf[156]; 
> \__Vulnerability___________________________________________________ ...    
>                                                                            
>   | if ( strlen(dir) > 0 )                                                 
>               | {                                                          
>                           | sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user);  
>                                       | ^^^^^^^ - buffer overflow          
>                                                   | }else{                 
>                                                               |
> sprintf(dirbuf, "%s/%s", dom_dir, user);                                   
>           | ^^^^^^^ - buffer overflow                                      
>                       | }                                                  
>                                   | ...                                    
>                                               |
>
>  if ( site_size == LARGE_SITE ) {                                          
>            | sprintf( SqlBuf, LARGE_INSERT, domstr,                        
>         | user, pass, pop, gecos, dirbuf, quota);                          
>      | ^^^^^^^ - format string                                             
>   | } else {                                                               
>        | sprintf( SqlBuf, SMALL_INSERT,                                    
>     | SYBASE_DEFAULT_TABLE,  user, domain, pass, pop, gecos, dirbuf,
> quota); | }       ^^^^^^^ - format string 
> ______________________________________________|
> ----------------------------------------/
> Two vulnerability : format string and buffer overflow.
> Latest Version is Vulnerable.
>
> To avoid this bugs, you must use snprintf() with format like "%s".
>
> 12/08/04.
> (c) by unl0ck team.
> http://web-hack.ru/unl0ck
Hi,

A quick look appears to show that the user parameter is limited to 32 bytes 
(checked and assigned before, pw_name), and pw_dir to 160 bytes, so it all 
depends on the VPOPMAILDIR for exploitation I guess...
Though you should note that pw_dir is not really controlled by the user, but 
rather by the OS's mail dir settings, usually Mail/ ... 

Making this exploit very hard to exploit, but possible on some systems.

Another quick look appears to show that there is no format string 
vulnerability as both SMALL_INSERT and LARGE_INSERT are:
#define LARGE_INSERT "insert into  %s \
( pw_name, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell ) \
values \
( '%s', '%s', %d, 0, '%s', '%s', '%s' )"

#define SMALL_INSERT "insert into  %s \
( pw_name, pw_domain, pw_passwd, pw_uid, pw_gid, pw_gecos, pw_dir, pw_shell ) 
\
values \
( '%s', '%s', '%s', %d, 0, '%s', '%s', '%s' )"

So a format is provided for both functions.

-- 
Thanks
Noam Rathaus
CTO
Beyond Security Ltd.

Join the SecuriTeam community on Orkut:
http://www.orkut.com/Community.aspx?cmm=44441


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ