|
Vulnerability vpopmail Affected vpopmail-3.4.11 Description H.D. Moore found following. The vpopmail package is an extension for Qmail that allows easy management of virtual domains and can use a SQL backend for storing user accounts. The program vchkpw in that package contains a vulnerability in its logging routines. The vchkpw program handles the username/password/domain authorization for Qmail's services, including the pop3 daemon. By passing formatting strings as a username/password when authenticating against the server, an attacker can run arbitrary code on the system with the privileges of the calling process. Vulnerable versions include all releases prior to 4.8 that have been compiled with the --enable-logging=y option. Your system is remotely exploitable if you use vchkpw to authorize users in conjunction with a network service (qmail-popup). The following demonstrates the bug using the Qmail pop3 daemon (qmail-popup): hdm@atrophy:~ > telnet mail.myhost.com 110 Trying A.B.C.D... Connected to mail.myhost.com. Escape character is '^]'. +OK <2334.961909661@mail.myhost.com> user %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s +OK pass %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s -ERR aack, child crashed Connection closed by foreign host. hdm@atrophy:~ > The problem lies in the fact the syslog function is passed only two arguments, with the second argument containing user supplied data. The syslog function then passes its second argument as the format string and each argument after that as parameters to vsprintf(). So what happens when you call vsprintf() with a fmt string containing printf formatting sequences and no arguments to supply the data for those sequences? Bad things. The system expands those sequences with the next thing off the stack, allowing all sorts of nasty tricks ranging from changing the values of internal variables to executing a shell. The offending code follows: <----[ log_exit() in vchkpw.c ]----> <----------------------------------> void log_exit( int syslog_level, int exit_code, char *fmt, ... ) { char tmpbuf[300]; va_list ap; if ( ENABLE_LOGGING > 0 ) { va_start(ap,fmt); vsprintf(tmpbuf, fmt, ap ); syslog(syslog_level, tmpbuf ); } #ifdef DEBUG vfprintf(stderr, fmt, ap); fprintf(stderr, "\n"); #endif if ( ENABLE_LOGGING > 0 ) { va_end(ap); } exit(exit_code); } Please keep in mind that the parameters passed to this function are global 100-byte character arrays, containing the username, domain, password and IP address. What actually happens is that the formatting strings aren't expanded until they are parsed by vsprintf() inside the syslog() function, instead of the vsprintf() before the syslog(). Solution The latest release of vpopmail (4.8 - June/27/2000) can be downloaded from http://www.inter7.com/vpopmail/ All earlier versions were removed from the site to prevent the spread of vulnerable releases.