lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1193832697.6279.23.camel@b4byl0n>
Date: Wed, 31 Oct 2007 13:11:37 +0100
From: Bernhard Mueller <research@...-consult.com>
To: Bugtraq <bugtraq@...urityfocus.com>, Full Disclosure
	<full-disclosure@...ts.grok.org.uk>
Subject: SEC Consult SA-20071031-0 :: Perdition IMAP Proxy
	Format String	Vulnerability

SEC Consult Security Advisory < 20071031-0 >
====================================================================================
                  title: Perdition IMAP proxy str_vwrite format string
vulnerability
                program: Perdition Mail Retrieval Proxy
     vulnerable version: <=1.17
               homepage: http://www.vergenet.net/
                  found: August 2007
                     by: Bernhard Mueller / SEC Consult
         permanent link: http://www.sec-consult.com/300.html
====================================================================================

Vendor description:
---------------

Perdition is a fully featured POP3 and IMAP4 proxy server. It is able to
handle both SSL and non-SSL connections and redirect users to a
real-server based on a database lookup.


Vulnerability overview:
---------------

Perdition IMAPD is affected by a format string bug in one of its IMAP
output-string formatting functions. The bug allows the execution of
arbitrary code on the affected server. A successful exploit does not
require prior authentication.


Vulnerability details:
--------------- 

1.) In certain situations, the IMAP-Tag (first part of IMAP-command) is
copied into a character buffer without validation. This buffer is then
ultimately passed to vsnprintf() as a format string.

2.) Before the call to vsnprintf, a validation of the format string is
performed as a protection against format string injection.

>>From str.c:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
168: static const char *__str_vwrite(io_t * io, const flag_t flag, 
169: 		const size_t nargs, const char *fmt, va_list ap,
170: 		int *bytes)
171: {
(...)
186: 	fmt_args = 0;
187: 	for (place = 0; fmt[place] != '\0'; place++) {
188: 		if (fmt[place] == '%')
189: 			fmt[place + 1] == '%' ? place++ : fmt_args++;
190: 	}
191: 	if (fmt_args != nargs) {
(...)
195: 		VANESSA_LOGGER_DEBUG_UNSAFE("nargs and fmt mismatch: "
196: 				"%d args requested, %d args in format",
197: 		     		nargs, fmt_args);
198: 		return (NULL);
199: 	}
200: 
201: 	*bytes = vsnprintf(__str_write_buf, STR_WRITE_BUF_LEN - 2, fmt,
ap);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


In line 187-191, the actual number of format identifiers is compared to
supposed number given in the parameter nargs. This check can however be
bypassed by injecting a null-byte in the end of the IMAP-tag. The
null-byte cuts of the rest of the string (with the original format
identifiers intended by the programmer). Therefore it is possible to
inject 'nargs' arbitrary format identifiers within the IMAP tag. 
In practice, only a single format identifier can be controlled by the
attacker. This is not very nice to exploit, however arbitrary code
execution is still possible. For example, multiple successive
single-byte-writes on a global function pointer can be used to gain
control of the instruction pointer.
Due to the nature of the vulnerability, a good exploit can bypass most
OS security features (non-exec-stack, ASLR, etc.) as well as compiler
features (stack canaries,...).


Proof-of-Concept
----------------

SEC Consult has created a working proof-of-concept
(code-execution-)exploit, which will not be released to the public at
this time.
The following can be used to test for the vulnerability:

perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143


Vulnerable versions:
---------------

Perdition IMAPD <= 1.17

The vulnerability has been fixed in Perdition v1.17.1. The new tarball
and Debian packages can be found at:

http://www.vergenet.net/linux/perdition/download/1.17.1/
http://www.vergenet.net/linux/perdition/download/latest/


vendor status:
---------------
vendor notified: 2007-10-12
vendor response: 2007-10-12
patch available: 2007-10-31


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EOF Bernhard Mueller / research [AT] sec-consult [DOT] com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ