bug.

2004-10-31T00:00:00
ID SECURITYVULNS:DOC:7108
Type securityvulns
Reporter Securityvulns
Modified 2004-10-31T00:00:00

Description

                    -= Unl0ck Team Security Advisory =-

    ____ ___       __  _______           __      ___________
   |    |   \____ |  | \   _  \    ____ |  | __  \__    ___/___ _____    _____
   |    |   /    \|  | /  /_\  \_ / ___\|  |/ /    |    |_/ __ \\__  \  /     \
   |    |  /   |  \  |_\  \_/   \  \___ |    <     |    |\  ___/ / __ \|  Y Y  \
   |______/|___|  /____/\_____  /\_____ >__|_ \    |____| \___  >____  /__|_|  /
                \/            \/       \/    \/               \/     \/      \/
                     ... the best way of protection is attack

                     http://unl0ck.net.ru || http://unl0ck.info

Advisory : #9 by unl0ck team Product : qwik-smtpd (latest version). Vendor : http://qwikmail.sourceforge.net/ Date : 31.10.2004 Impact : format string vulnerability Vendor Status : Released Patch. http://qwikmail.sourceforge.net/smtpd/qwik-smtpd-0.3.patch Advisory URL : http://unl0ck.info/advisories/qwik-smtpd.txt

-=[ Overview

It is an SMTP (mail) server that supports SMTP and ESMTP. Once finished, it will be very secure, hopefully with the same reputation as qmail.

]=-

-=[ Vulnerability

I found format string bug in Qwik-SMTP daemon. See this:

File: qwik-smtpd.c

sprintf(Received,"Received: from %s (HELO %s) (%s) by %s with SMTP; %s\n", clientHost, clientHelo, clientIP, localHost, timebuf); ... else { fprintf(fpout,Received); ...

As you can see, bug found in main() function. This type is REMOTE. We don't want to release an exploit to avoid kids usage.

-=[ Credits

Found this bug Dark Eagle mailto:darkeagle@list.ru

(c) Unl0ck Team [http://unl0ck.info] || [http://unl0ck.net.ru]

Greetz go out to: Stine, nekd0, 8RON, forsyte, cr0n, f00n.

]=-