Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: isno (isnoETANG.COM)
Date: Thu Feb 01 2001 - 21:06:08 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]


    I discovered all versions of XMail<http://www.mycio.com/davidel/xmail> have
    buffer overflow vulnerabilities in CTRLServer.These holes is NOT same as
    APOP,USER command buffer overflow vulnerability discovered beforetime.And
    this problem allows a remote attacker to execute arbitrary code by issuing a
    long cfgfileget(cfgfileset,domainadd,domaindel)command.


    Vulnerable systems:
    XMail version 0.66 and prior version

    Immune systems:

    CTRLServer is a tool of XMail for administering purpose.It listen on port 6017(tunable).
    there are some bad programming lead to vulnerabilities.

    In CTRLSvr.cpp
    line 1888: CTRLDo_domainadd() function
    StrLower(strcpy(szDomain, ppszTokens[1]));

    szDomain is a 256 bytes local buffer,ppszTokens[1] is parsed from user input
    command,XMail copies them without bounds checking.It is possible to cause
    cover EIP,because XMail is run as root,an attacker can execute arbitrary code
    with root privilege.

    There are same vulnerabilities in CTRLSvr.cpp
    line 1921: CTRLDo_domaindel() function
    StrLower(strcpy(szDomain, ppszTokens[1]));

    line 2448: CTRLDo_cfgfileget() function
    strcpy(szRelativePath, ppszTokens[1]);

    line 2523: CTRLDo_cfgfileset() function
    strcpy(szRelativePath, ppszTokens[1]);

    Before exploit the vulnerabilities,it is need to login with CTRLServer
    username&password.I think it is easy to get that by brute forcing.

    I wrote a program to test the vulnerabilities,on my Redhat 6.0 i386+XMail 0.65
    (0.66 has same bugs):

    [rootisno /root]# gcc -o xmailx xmailx.c
    [rootisno /root]# ./xmailx isno mypasswd

    Use retAddress: 0xbc7fe974

    +00000 <981016616.25626127.0.0.1> XMail 0.65 (Linux/Ix86) CTRL Server; Thu, 01 Feb 2001 16:36:56 +0800

    Starting to login...
    Success!now telnet 36864
    [rootisno /root]# telnet 36864
    Connected to
    Escape character is '^]'.
    uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
    : command not found

    Because the buffer is too small to set many of NOP before shellcode,it is deficult
    to guess ret.And it cannot brute force offset,because once sending overflow code to
    the CTRLServer, XMail will be crashed.

    http://www.mycio.com/davidel/xmail should release the patch.

    Excuse my poor english...


    • application/octet-stream attachment: xmailx.c