[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030127020239.GA5137@Update.UU.SE>
From: ulfh at Update.UU.SE (Ulf Harnhammar)
Subject: Hypermail buffer overflows
Hypermail buffer overflows
PROGRAM: Hypermail
HOMEPAGE: http://www.hypermail.org/
SOURCEFORGE PAGE: http://sourceforge.net/projects/hypermail/
VULNERABLE VERSIONS: 2.1.3, 2.1.4, 2.1.5, possibly others
IMMUNE VERSIONS: 2.1.6
DESCRIPTION:
"Hypermail 2 is a much enhanced version of the popular tool that
converts mails into nicely formatted HTML pages. Version 2 has a
lot of new features including MIME support. Perfect for archiving
mailing lists and similar."
(direct quote from the program's project page at Freshmeat)
SUMMARY:
I have found one exploitable buffer overflow in Hypermail's main
program, hypermail, and one in Hypermail's CGI program mail. The
overflow in hypermail can be exploited by sending e-mails to the
program, but it only works if hypermail is configured to use a
certain option. The overflow in mail can be exploited by setting
up a DNS server with evil data and then surfing to the CGI program
in question.
TECHNICAL DETAILS:
a) hypermail
The main program, hypermail, doesn't like the combination of long
attachment filenames (252 characters) and the option progress set to
2. This option gives verbose information about what directories and
files are created, which is useful for new Hypermail administrators
or people experiencing problems. I've attached a copy of a mailbox
that causes this buffer overflow.
How does it work? First the attachname variable in the parsemail
function in parse.c is overrun. Then when the function print_progress
is called, its bufstr variable is also overrun. As you can see
on this session capture, the processor jumps to an address of the
attacker's choice, so this is exploitable.
$ cat /etc/redhat-release
Red Hat Linux release 7.3 (Valhalla)
$ uname -a
Linux h130n1flsxxoxxx.telia.com 2.4.18-19.7.x #1 Thu Dec 12 09:00:42
EST 2002 i686 unknown
$ pwd
/home/vsu/secwork/hypermail-2.1.5/src
$ ./hypermail -o progress=2 -m /var/spool/mail/vsu
Creating directory "vsu", mode 755.
Loading mailbox "/var/spool/mail/vsu"...
Creating directory "vsu//att-0000", mode 755.
0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUU
Segmentation fault
$ rm -rf vsu
$ gdb hypermail
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(gdb) r -o progress=2 -m /var/spool/mail/vsu
Starting program: /home/vsu/secwork/hypermail-2.1.5/src/hypermail -o
progress=2 -m /var/spool/mail/vsu
Creating directory "vsu", mode 755.
Loading mailbox "/var/spool/mail/vsu"...
Creating directory "vsu//att-0000", mode 755.
0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUU
Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) whe
#0 0x55555555 in ?? ()
Cannot access memory at address 0x55555555
(gdb) i r
eax 0x0 0
ecx 0x0 0
edx 0x0 0
ebx 0x55555555 1431655765
esp 0xbfffe870 0xbfffe870
ebp 0x55555555 0x55555555
esi 0x55555555 1431655765
edi 0x55555555 1431655765
eip 0x55555555 0x55555555
eflags 0x10246 66118
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm1 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm2 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm3 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm4 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm5 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm6 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm7 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
mxcsr 0x1f80 8064
orig_eax 0xffffffff -1
(gdb) q
The program is running. Exit anyway? (y or n) y
$
There are also other buffer overruns in the parsemail function,
including in the boundbuffer and the filename variables, but they
don't seem to be exploitable.
b) mail
The CGI program mail does a reverse look-up of the user's IP number
and uses strcpy to copy the resulting host name to a fixed-size
buffer of 80 chars. If you set up a DNS server, where your IP number
reverses to a host name of 122 chars, this is also exploitable.
As this CGI program allows for any mail to be sent from anyone to
anyone, it can also be abused by spammers.
WORKAROUND:
Set the option progress to something else than 2. Configure Hypermail
not to use the CGI program mail, and then remove the mail program
from your cgi-bin directory.
SOLUTION:
Upgrade to version 2.1.6, which fixes all the problems mentioned
above.
COMMUNICATION WITH VENDOR:
The vendor was contacted on the 23rd of January. Version 2.1.6 was
released on the 24th of January.
// Ulf Harnhammar, VSU Security, ulfh@...ate.uu.se
lynx -source http://slashdot.org/ | head -n1 | tr YDC oHl | \
sed -e 'y%PETO% wle%' -e 's% .*$%%' -e 's%L%d.%' -e 's%M%%' \
-e 's% H%or%' -e 's%^..%%'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: vsu-mbox.gz
Type: application/octet-stream
Size: 727 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030127/feabdb27/vsu-mbox.obj
Powered by blists - more mailing lists