High security hole in NullLogic Groupware Jul 06 2009 12:50AM
Tim Brown (timb nth-dimension org uk)
Hi,

I've identified a couple of security flaws affecting the NullLogic Groupware
which may allow compromise of accounts, denial of service or even remote code
execution.  These issues were reported by email to the developer but no
response was forthcoming.
 
Tim
--
Tim Brown
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20090413)
Date: 13th April 2009
Author: Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: Groupware 1.2.7 <http://nullwebmail.sourceforge.net/groupware/>
Vendor: NullLogic (Dan Cahill) <http://nullwebmail.sourceforge.net/>
Risk: High

Summary

This advisory comes in 3 related parts:

1) Groupware supports a number of database servers including SQLite
and MySQL. During configuration, it is setup to use these for the storage
of data including credentials. The functions which access the configured
database do not sanitise all input satisfactorily. This can lead to SQL
injection allowing compromise of the Groupware server.

2) Groupware includes fully featured forum which is available to authenticated
users. The functions called by the web application when this is accessed do not
validate all input satisfactorily. It is possible to supply malformed data as
one of the parameters which causes an exception allowing a denial of service
condition to be affected.

3) When Groupware is configured to use the PostgreSQL database server
backend, a programming error within the database functions of the POP3, SMTP and
web components of Groupware may allow longer than expected strings to be written
to the stack. This could lead to a stack overflow allowing compromise of the
Groupware server.

Technical Details

1) Groupware typically calls the sql_queryf function when talking to the
database server. As with printf and friends, this takes a C format string and
other parameters specific to the operation and constructs an SQL query which
is then passed to the appropriate database function. For example, from the
Groupware web application (which is typically found on port 4110), the user
is presented with a login page. When an attempt is made to login,
queries are generated by the auth_checkpass function as follows:

if ((sqr=sql_queryf(sid, "SELECT userid, password FROM gw_users WHERE username = '%s' and enabled > 0", sid->dat->user_username))<0) {

Since we can control the value of sid->dat->user_username from the username
parameter of requests to the login page we can influence the actual SQL query
which is executed by the database server which is insufficiently sanitised. Note
that a significant percentage of all database calls are susceptible as described.

2) The Groupware web application's forum module takes a parameter to
select the forum that the user wishes to access. The parameter is incorrectly
validated leading to an exception being thrown when the fmessagelist
function is passed with a forum parameter of either an empty or a non-numeric
string.

3) Consider the following function which is called when Groupware is configured to
use a PostgreSQL database server:

int pgsqlQuery(CONN *sid, int sqr, char *sqlquery)
{
...
char query[8192];
...
memset(query, 0, sizeof(query));
snprintf(query, sizeof(query)-1, "DECLARE myportal CURSOR FOR ");
strncat(query, sqlquery, sizeof(query));
...
}

As you can see, it allocates a 8192 byte buffer for query on the stack and
proceeds to construct an SQL query. The problem lies in that it starts the
string construction with a fixed length string of 28 bytes before concatenating
up to 8192 bytes (the size of query previously allocated on the stack. The total
amount of data written to the stack (8220 bytes) is therefore greater than that
which was initially allocated. In theory this could lead to the previous
functions base pointer (%ebp) and return address (%eip) being blown away if a
the value of sqlquery passed is longer than 8163 bytes. Note this code can be
found in a number of locations within the Groupware source.

Solutions

Unfortunately, Nth Dimension are unware of any fixes for these issues
at the current time. The developer was contacted on Monday, 13th April 2009
but no response was forthcoming.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAEBAgAGBQJKUUP2AAoJEPJhpTVyySo7+iUP/R7tvEdxYBLlOv42ht2ef34a
BgGPDjFs+1fVkLTpducaQrh+UTBZ32bQUDaesyQ2TQ2kzQ0MvP5iGTk6cMVQe3Wk
e1xF6R+8jbVMqX2oFSOFa7FzDDr8GotRG+eNgEEFARVuPdyFWB/lBZw0pNW0gMfN
wV5sbFN5lubObmtBt03AkpFj9vFsv9N5HN0dRKyk4HoshalYsr2l3Z++LZB0PTsM
q/Do8q5CRw5D+5cRXdZmsWEP5I1NMCFnhyjgSxrM8agq1C5znQSwdQFyng41oeY+
jEIyOx8uGtqLtOMQ+DEsp0iyejbxcQnmJNv1Uko4wh34h1UNfZ3Buh1TbmqLbzBZ
KzOA91MY4kZB2meyZqm5FEjlBtXblyIlaWve8bgcm5tu/7yw51g4GxkMvrFYZvfP
/6F7U9rJ2+2NK/zCSlDfkn03aIPoduQUC2iZWoS/Q5XlEXCz6jOkO/oHqKk8S2sl
4H1ewt+z5+b/zmC7VROcuavI6e9TCYpsw9tuAFV0UiJVlTi8iO16SfpmfrG9RwYE
ddjg71bBRvdUO/AYxBvDLHV+yiSZ1jVBpHOgPunBzedI7uBFIyVWy9qpUqVMtBsu
OgjNQ0jmreQ8bjxAr8J5oSjkdTmnQO7KCGntTHGXxdR77SeYPI+/FOHXZ5OqXJmu
KC/vBPrQL8LBvzOf79LQ
=X7sF
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iQIcBAABAgAGBQJKUUpvAAoJEPJhpTVyySo7pzAQAJsKWwOLtk5CuTKD4k1Bydch
qPTsk2dQLMWPhlRpLAD09Z01ItXWEEVhJ9usWX9RTGA1VA87xcCReG5hegBVmZPp
t3jju11oM3G/AP5HX5ypQ8zrqrYII8INNPkf/sTfoWwIBs6LKY+JXVvGpVCW01ug
t9KDLYp7gvfAdjr0AIhG45RUIbXKRVxVSnw4mplDP6rvjw2QBiS+t1xJVmVf0Yr3
0UFYQ3JhFugjjXeNBxtzj5OEQrPfhst1IdYK3zZZvHKp0uI+56reUMS1qcEhdx0w
VY1RABGMiIvcH3Y035emOcGY/ph9DJcyJ9wsYa3GGIBOxTsTuIAO+DlxNeXYqk78
59MZPBXStqA+stAj1WcImp/3+lKfbe1k7+ktcnuZcorZ8pT1l5gl9LR578fgq888
eJPXDxIxJ1SLVZ3vVv6IDtsXY9zQojQ+dirR3a9+d6R/azH/5q6NuEKeorhcSIlv
eMUA+ecScnaPAW1WzKLQX/RtddN73C+Wgw9yc0TtG5zAZwoy4eq1m4r5CBgHC/Kb
9g6V9JL92/D2egieysi3T54cgtXexEh3y62VzWE8RvWSMRlxz350tHY/YRdpLADM
IIfuofaul+3cCKUgufSpAb6JbYKN9HxMaNOBGFyrHeGUqT1sjIawlbyW5j/xdQCo
KA9aQVf7vj2CpOs0ygqv
=+VgE
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus