qmailadmin is not part of qmail. It's from http://inter7.com/qmailadmin/
and I guess you can download from there and play with it, although the
versions I am using were built from the FreeBSD ports tree and also from a
Linux RPM I grabbed from:

http://rpmfind.udoj.org/udoj/RPMS/qmailadmin-1.0-1.i386.html

For all I know this might be a fixed bug in the source from inter7. No
idea. I clicked on 'security' on their web site and saw this:

"Inter7 specializes in security through obscurity and misdirection, as
well as baiting. These techniques, when combined with experience, are
powerful tools in protecting your network against attacks."

However, I saw nothing about "Security problem in Qmailadmin -- please
upgrade immediately," for what that's worth.

The skinny is that it installs a suid CGI program (as root from the RPM,
and setuid as a lesser priveledged user on *BSD) that has some problems if
it's run locally. The code problem is that it trusts an enviroment
variable without sanitizing or truncating it. I assume the author assumed
that nobody local would be running this binary, as it's meant to be run as
a CGI.

    tmpstr = getenv(QMAILADMIN_TEMPLATEDIR);

So, QMAILADMIN_TEMPLATEDIR is the one.

[tcannonfrobozz cgi-bin]$ ls -l qmailadmin
-rwsr-sr-x 1 root root 198597 Nov 26 2001 qmailadmin
[tcannonfrobozz cgi-bin]$ uname -a
Linux frobozz.grassroots.com 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686
unknown
[tcannonfrobozz cgi-bin]$ export QMAILADMIN_TEMPLATEDIR=`perl -e 'print
"A" x 21000'`
[tcannonfrobozz cgi-bin]$ gdb qmailadmin
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(gdb) r
Starting program: /var/www/cgi-bin/qmailadmin
Content-Type: text/html

Program received signal SIGSEGV, Segmentation fault.
0x42072a5d in rewind () from /lib/i686/libc.so.6
(gdb) i all
eax 0x41414141 1094795585 <---- HERE
ecx 0x41413fa9 1094795177
edx 0x0 0
ebx 0x4213030c 1108542220
esp 0xbfffa7f0 0xbfffa7f0
ebp 0xbfffa818 0xbfffa818
esi 0x41414141 1094795588 <---- HERE
edi 0x0 0
eip 0x42072a5d 0x42072a5d
eflags 0x210246 2163270

<snip>

So, I'm overwriting parts of memory and going places I shouldn't. But I'm
not sure how to exploit this, or even if it's really even exploitable. I'm
not getting to the EIP or EBP, and I'm not sure how to control the stack
in a way where I could execute arbitrary code. Someone else here might see
this and go, "Well, obviously... you just move this here, stuff that here,
put a return address at this spot and when it pops this frame it jumps to
there and returns this, which, obviously, runs our shellcode." Or, maybe
not. I know *I* don't know to exploit this... but if it is exploitable,
I'd certainly like to learn the technique -- which is why this is in front
of you today.

Thanks,

-thomas

"No brain, no headache"

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]