 Home Security Internet Explorer Windows 2000 AIX Netscape Misc Other Links Services In the news Random stuff Contact guninski@guninski.com |
Buffer overflow in qmail-qmtpd, yet still qmail much better than windows Systems affected: tested on qmail 1.03 on linux Risk: Low - not in default install and i can't exploit it Date: 3 March 2004 Legal Notice: This Advisory is
Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified. You may not modify it and distribute it or distribute parts of it without the author's written permission - this especially applies to so called "vulnerabilities databases" and securityfocus, microsoft, cert and mitre. If you want to link to this content use the URL: http://www.guninski.com/qmail-qmtpd.html Anything in this document may change without notice. Disclaimer: The information in this advisory is believed to be true though it may be false. The opinions expressed in this advisory and program are my own and not of any company. The usual standard disclaimer applies, especially the fact that Georgi Guninski is not liable for any damages caused by direct or indirect use of the information or functionality provided by this advisory or program. Georgi Guninski bears no responsibility for content or misuse of this advisory or program or any derivatives thereof. Description: there is a buffer overflow in qmail-qmtpd.c if the env. var. RELAYCLIENT is long between 4 and 1003. A static buffer gets overflowed due to integer overflow. I can't exploit it on linux, though it may turn exploitable. Details: Basically the idea is it is possible getlen() to return (unsigned long)-1 or -4 and then the check if (len + relayclientlen >= 1000) passes though len == (unsigned)-4. Then len is used to copy in a static buffer. The check for len is *before* len is updated, so it is possible to update len and then return len. A lot of memory gets overwritten including qq. if a C compiler sets ssin after buf, i believe it will be exploitable. The trick is that len = 10 * len + (ch - '0'); can return -1 if len == 0 and ch == '/' How to reproduce: -------------------------------------------------- [joro@sivokote tmp]$ ./qma-qmtpd.pl qmail-qmtpd buffer overflow. Copyright Georgi Guninski Cannot be used in vulnerability databases and similar stuff <in another terminal> ps awx 2080 pts/9 S 0:00 /var/qmail/bin/qmail-qmtpd gdb attach 2080 cont <in first terminal hit enter> Program received signal SIGSEGV, Segmentation fault. 0x0804b096 in alarm () -------------------------------------------------- -qma-qmtpd.pl---- #!/usr/bin/perl -w----------------- Fix: Patch by me, use at your own risk: -patch----- --- ../qmail-1.03/qmail-qmtpd.c 1998-06-15 13:53:16.000000000 +0300 +++ qmail-qmtpd.c 2004-02-29 16:15:13.000000000 +0200 @@ -45,8 +45,8 @@ for (;;) { substdio_get(&ssin,&ch,1); if (ch == ':') return len; - if (len > 200000000) resources(); len = 10 * len + (ch - '0'); + if (len > 200000000 || ch < '0' || ch > '9') resources(); } } @@ -193,8 +193,8 @@ substdio_get(&ssin,&ch,1); --biglen; if (ch == ':') break; - if (len > 200000000) resources(); len = 10 * len + (ch - '0'); + if (len > 200000000 || ch < '0' || ch > '9') resources(); } if (len >= biglen) badproto(); if (len + relayclientlen >= 1000) { ----------- Vendor status: djb is aware of the bug Georgi Guninski http://www.guninski.com |