qwik-smtpd Remote Format String Arbitrary Code Execution

2004-10-31T06:15:08
ID OSVDB:11303
Type osvdb
Reporter Dark Eagle(darkeagle@list.ru)
Modified 2004-10-31T06:15:08

Description

Vulnerability Description

QwikMail SMTP (qwik-smtpd) contains a flaw that may allow a malicious user to execute arbitrary code via a format string vulnerability in qwik-smtpd.c. The issue is triggered by sending a specially crafted mail request. It is possible that the flaw may allow arbitrary command execution resulting in a loss of confidentiality and integrity.

Solution Description

Upgrade to version 0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

QwikMail SMTP (qwik-smtpd) contains a flaw that may allow a malicious user to execute arbitrary code via a format string vulnerability in qwik-smtpd.c. The issue is triggered by sending a specially crafted mail request. It is possible that the flaw may allow arbitrary command execution resulting in a loss of confidentiality and integrity.

References:

Vendor URL: http://qwikmail.sourceforge.net/ Security Tracker: 1012016 Secunia Advisory ID:13037 Other Advisory URL: http://unl0ck.info/advisories/qwik-smtpd.txt Other Advisory URL: http://www.securiteam.com/exploits/6H0062KBPM.html ISS X-Force ID: 17917 FrSIRT Advisory: ADV-2007-0687 CVE-2004-2677 Bugtraq ID: 11572