linux, säkerhet

6073608 2001-02-09 06:52 +0000  /101 rader/  <davidel@XMAIL.VIRUSSCREEN.COM>
Sänt av: joel@lysator.liu.se
Importerad: 2001-02-09  17:39  av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: davidel@XMAIL.VIRUSSCREEN.COM
Mottagare: Bugtraq (import) <15322>
Ärende: Re: XMail CTRLServer remote buffer overflow vulnerability
------------------------------------------------------------
From: davidel@XMAIL.VIRUSSCREEN.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010209065220.24385.qmail@securityfocus.com>

> SUMMARY
> 
> I discovered all versions of
XMail<http://www.mycio.com/davidel/xmail> have
> buffer overflow vulnerabilities in
CTRLServer.These holes is NOT same as
> APOP,USER command buffer overflow vulnerability
discovered beforetime.And
> this problem allows a remote attacker to execute
arbitrary code by issuing a
> long
cfgfileget(cfgfileset,domainadd,domaindel)command.
> 
> DETAILS
> 
> Vulnerable systems:
> XMail version 0.66 and prior version
> 
> Immune systems:
> None
> 
> CTRLServer is a tool of XMail for administering
purpose.It listen on port 6017(tunable).
> there are some bad programming lead to
vulnerabilities.
> 
> In CTRLSvr.cpp
> line 1888: CTRLDo_domainadd() function
> StrLower(strcpy(szDomain, ppszTokens[1]));
> 
> szDomain is a 256 bytes local
buffer,ppszTokens[1] is parsed from user input
> command,XMail copies them without bounds
checking.It is possible to cause
> cover EIP,because XMail is run as root,an
attacker can execute arbitrary code
> with root privilege.
> 
> There are same vulnerabilities in CTRLSvr.cpp
> line 1921: CTRLDo_domaindel() function
> StrLower(strcpy(szDomain, ppszTokens[1]));
> 
> line 2448: CTRLDo_cfgfileget() function
> strcpy(szRelativePath, ppszTokens[1]);
> 
> line 2523: CTRLDo_cfgfileset() function
> strcpy(szRelativePath, ppszTokens[1]);
> 
> Before exploit the vulnerabilities,it is need to
login with CTRLServer
> username&password.I think it is easy to get that
by brute forcing.
> 
> I wrote a program to test the vulnerabilities,on
my Redhat 6.0 i386+XMail 0.65
> (0.66 has same bugs):
> 
> [root@isno /root]# gcc -o xmailx xmailx.c
> [root@isno /root]# ./xmailx isno mypasswd
127.0.0.1
> 
> Use retAddress: 0xbc7fe974
> 
> +00000 <981016616.25626@127.0.0.1> XMail 0.65
(Linux/Ix86) CTRL Server; Thu, 01 Feb 2001
16:36:56 +0800
> 
> Starting to login...
> Success!now telnet 127.0.0.1 36864
> [root@isno /root]# telnet 127.0.0.1 36864
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> id;
> uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> : command not found
> 
> Because the buffer is too small to set many of
NOP before shellcode,it is deficult
> to guess ret.And it cannot brute force
offset,because once sending overflow code to
> the CTRLServer, XMail will be crashed.
> 
> PATCH:
> http://www.mycio.com/davidel/xmail should
release the patch.
> 
> Excuse my poor english...


It'll be fixed in 0.68.


- Davide
(6073608) ------------------------------------------