BugTraq
vpopmail <= 5.4.2 (sybase vulnerability) Aug 17 2004 10:44AM
Jérôme ATHIAS (jerome athias caramail com) (1 replies)


Bug: format string and buffer overflow (sybase)

Product: vpopmail <= 5.4.2 (sybase vulnerability)

Author: Werro [werro (at) list (dot) ru [email concealed]]

Realease Date : 12/08/04

Risk: Low

Vendor status: Vendor is in a big shit :)

Reference: http://web-hack.ru/unl0ck/advisories/

Overview:

vpopmail is a set of programs for creating and managing

multiple virtual domains on a qmail server.

Details:

Bugs were founded in SyBase. In vsybase.c file.

------------------- char dirbuf[156]; \__Vulnerability___________________________________________________

... |

if ( strlen(dir) > 0 ) |

{ |

sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user); |

^^^^^^^ - buffer overflow |

}else{ |

sprintf(dirbuf, "%s/%s", dom_dir, user); |

^^^^^^^ - buffer overflow |

} |

... |

|

if ( site_size == LARGE_SITE ) { |

sprintf( SqlBuf, LARGE_INSERT, domstr, |

user, pass, pop, gecos, dirbuf, quota); |

^^^^^^^ - format string |

} else { |

sprintf( SqlBuf, SMALL_INSERT, |

SYBASE_DEFAULT_TABLE, user, domain, pass, pop, gecos, dirbuf, quota); |

} ^^^^^^^ - format string ______________________________________________|

----------------------------------------/

Two vulnerability : format string and buffer overflow.

Latest Version is Vulnerable.

To avoid this bugs, you must use snprintf() with format like "%s".

12/08/04.

(c) by unl0ck team.

http://web-hack.ru/unl0ck

[ reply ]
[2Cents on] vpopmail <= 5.4.2 (sybase vulnerability) Aug 18 2004 10:47AM
bugtraq beyondsecurity com


 

Privacy Statement
Copyright 2010, SecurityFocus