lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: ulfh at Update.UU.SE (Ulf Harnhammar)
Subject: Hypermail buffer overflows

Hypermail buffer overflows


PROGRAM: Hypermail
HOMEPAGE: http://www.hypermail.org/
SOURCEFORGE PAGE: http://sourceforge.net/projects/hypermail/
VULNERABLE VERSIONS: 2.1.3, 2.1.4, 2.1.5, possibly others
IMMUNE VERSIONS: 2.1.6


DESCRIPTION:

"Hypermail 2 is a much enhanced version of the popular tool that
converts mails into nicely formatted HTML pages. Version 2 has a
lot of new features including MIME support. Perfect for archiving
mailing lists and similar."

(direct quote from the program's project page at Freshmeat)


SUMMARY:

I have found one exploitable buffer overflow in Hypermail's main
program, hypermail, and one in Hypermail's CGI program mail. The
overflow in hypermail can be exploited by sending e-mails to the
program, but it only works if hypermail is configured to use a
certain option. The overflow in mail can be exploited by setting
up a DNS server with evil data and then surfing to the CGI program
in question.


TECHNICAL DETAILS:

a) hypermail

The main program, hypermail, doesn't like the combination of long
attachment filenames (252 characters) and the option progress set to
2. This option gives verbose information about what directories and
files are created, which is useful for new Hypermail administrators
or people experiencing problems. I've attached a copy of a mailbox
that causes this buffer overflow.

How does it work? First the attachname variable in the parsemail
function in parse.c is overrun. Then when the function print_progress
is called, its bufstr variable is also overrun. As you can see
on this session capture, the processor jumps to an address of the
attacker's choice, so this is exploitable.

$ cat /etc/redhat-release
Red Hat Linux release 7.3 (Valhalla)
$ uname -a
Linux h130n1flsxxoxxx.telia.com 2.4.18-19.7.x #1 Thu Dec 12 09:00:42
EST 2002 i686 unknown
$ pwd
/home/vsu/secwork/hypermail-2.1.5/src
$ ./hypermail -o progress=2 -m /var/spool/mail/vsu
 Creating directory "vsu", mode 755.
Loading mailbox "/var/spool/mail/vsu"...
 Creating directory "vsu//att-0000", mode 755.
   0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUU
Segmentation fault
$ rm -rf vsu
$ gdb hypermail
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and
you are welcome to change it and/or distribute copies of it under
certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(gdb) r -o progress=2 -m /var/spool/mail/vsu
Starting program: /home/vsu/secwork/hypermail-2.1.5/src/hypermail -o
progress=2 -m /var/spool/mail/vsu
 Creating directory "vsu", mode 755.
Loading mailbox "/var/spool/mail/vsu"...
 Creating directory "vsu//att-0000", mode 755.
   0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUU

Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) whe
#0  0x55555555 in ?? ()
Cannot access memory at address 0x55555555
(gdb) i r
eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0x55555555       1431655765
esp            0xbfffe870       0xbfffe870
ebp            0x55555555       0x55555555
esi            0x55555555       1431655765
edi            0x55555555       1431655765
eip            0x55555555       0x55555555
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm1           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm2           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm3           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm4           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm5           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm6           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm7           {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
mxcsr          0x1f80   8064
orig_eax       0xffffffff       -1
(gdb) q
The program is running.  Exit anyway? (y or n) y
$

There are also other buffer overruns in the parsemail function,
including in the boundbuffer and the filename variables, but they
don't seem to be exploitable.


b) mail

The CGI program mail does a reverse look-up of the user's IP number
and uses strcpy to copy the resulting host name to a fixed-size
buffer of 80 chars. If you set up a DNS server, where your IP number
reverses to a host name of 122 chars, this is also exploitable.

As this CGI program allows for any mail to be sent from anyone to
anyone, it can also be abused by spammers.


WORKAROUND:

Set the option progress to something else than 2. Configure Hypermail
not to use the CGI program mail, and then remove the mail program
from your cgi-bin directory.


SOLUTION:

Upgrade to version 2.1.6, which fixes all the problems mentioned
above.


COMMUNICATION WITH VENDOR:

The vendor was contacted on the 23rd of January. Version 2.1.6 was
released on the 24th of January.


// Ulf Harnhammar, VSU Security, ulfh@...ate.uu.se
   lynx -source http://slashdot.org/ | head -n1 | tr YDC oHl | \
   sed -e 'y%PETO% wle%' -e 's%  .*$%%' -e 's%L%d.%' -e 's%M%%' \
   -e 's% H%or%' -e 's%^..%%'

-------------- next part --------------
A non-text attachment was scrubbed...
Name: vsu-mbox.gz
Type: application/octet-stream
Size: 727 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20030127/feabdb27/vsu-mbox.obj

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ