Vulnerability

    vpopmail

Affected

    vpopmail-3.4.11

Description

    H.D. Moore found following.  The vpopmail package is an  extension
    for Qmail that allows easy  management of virtual domains and  can
    use a SQL backend for  storing user accounts.  The  program vchkpw
    in that package contains a vulnerability in its logging routines.

    The   vchkpw   program   handles   the    username/password/domain
    authorization for Qmail's services, including the pop3 daemon.  By
    passing   formatting   strings   as   a   username/password   when
    authenticating against the server,  an attacker can run  arbitrary
    code on the system with the privileges of the calling process.

    Vulnerable versions include  all releases prior  to 4.8 that  have
    been compiled with the --enable-logging=y option.  Your system  is
    remotely  exploitable  if  you  use  vchkpw  to authorize users in
    conjunction with a network service (qmail-popup).

    The following  demonstrates the  bug using  the Qmail  pop3 daemon
    (qmail-popup):

        hdm@atrophy:~ > telnet mail.myhost.com 110
        Trying A.B.C.D...
        Connected to mail.myhost.com.
        Escape character is '^]'.
        +OK <2334.961909661@mail.myhost.com>
        user %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
        +OK
        pass %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
        -ERR aack, child crashed
        Connection closed by foreign host.
        hdm@atrophy:~ >

    The problem lies  in the fact  the syslog function  is passed only
    two arguments, with the  second argument containing user  supplied
    data.  The syslog function then passes its second argument as  the
    format  string  and  each  argument  after  that  as parameters to
    vsprintf().  So what happens  when you call vsprintf() with  a fmt
    string containing printf formatting sequences and no arguments  to
    supply the  data for  those sequences?   Bad things.   The  system
    expands  those  sequences  with  the  next  thing  off  the stack,
    allowing  all  sorts  of  nasty  tricks  ranging from changing the
    values of internal variables to executing a shell.  The  offending
    code follows:

        <----[ log_exit() in vchkpw.c ]---->
        <---------------------------------->
        
        void log_exit( int syslog_level, int exit_code, char *fmt, ... )
        {
         char tmpbuf[300];
	        va_list ap;
        
        
	        if ( ENABLE_LOGGING > 0 ) {
		        va_start(ap,fmt);
		        vsprintf(tmpbuf, fmt, ap );
		        syslog(syslog_level, tmpbuf );
	        }
        
        #ifdef DEBUG
	        vfprintf(stderr, fmt, ap);
	        fprintf(stderr, "\n");
        #endif
        
	        if ( ENABLE_LOGGING > 0 ) {
		        va_end(ap);
	        }
        
	        exit(exit_code);
        }

    Please keep in  mind that the  parameters passed to  this function
    are  global  100-byte  character  arrays, containing the username,
    domain, password and  IP address.   What actually happens  is that
    the formatting strings  aren't expanded until  they are parsed  by
    vsprintf() inside the syslog() function, instead of the vsprintf()
    before the syslog().

Solution

    The  latest  release  of  vpopmail  (4.8  -  June/27/2000)  can be
    downloaded from

        http://www.inter7.com/vpopmail/

    All earlier  versions were  removed from  the site  to prevent the
    spread of vulnerable releases.