> SUMMARY > > I discovered all versions of XMail<http://www.mycio.com/davidel/xmail> have > buffer overflow vulnerabilities in CTRLServer.These holes is NOT same as > APOP,USER command buffer overflow vulnerability discovered beforetime.And > this problem allows a remote attacker to execute arbitrary code by issuing a > long cfgfileget(cfgfileset,domainadd,domaindel)command. > > DETAILS > > Vulnerable systems: > XMail version 0.66 and prior version > > Immune systems: > None > > CTRLServer is a tool of XMail for administering purpose.It listen on port 6017(tunable). > there are some bad programming lead to vulnerabilities. > > In CTRLSvr.cpp > line 1888: CTRLDo_domainadd() function > StrLower(strcpy(szDomain, ppszTokens[1])); > > szDomain is a 256 bytes local buffer,ppszTokens[1] is parsed from user input > command,XMail copies them without bounds checking.It is possible to cause > cover EIP,because XMail is run as root,an attacker can execute arbitrary code > with root privilege. > > There are same vulnerabilities in CTRLSvr.cpp > line 1921: CTRLDo_domaindel() function > StrLower(strcpy(szDomain, ppszTokens[1])); > > line 2448: CTRLDo_cfgfileget() function > strcpy(szRelativePath, ppszTokens[1]); > > line 2523: CTRLDo_cfgfileset() function > strcpy(szRelativePath, ppszTokens[1]); > > Before exploit the vulnerabilities,it is need to login with CTRLServer > username&password.I think it is easy to get that by brute forcing. > > I wrote a program to test the vulnerabilities,on my Redhat 6.0 i386+XMail 0.65 > (0.66 has same bugs): > > [root@isno /root]# gcc -o xmailx xmailx.c > [root@isno /root]# ./xmailx isno mypasswd 127.0.0.1 > > Use retAddress: 0xbc7fe974 > > +00000 <[EMAIL PROTECTED]> XMail 0.65 (Linux/Ix86) CTRL Server; Thu, 01 Feb 2001 16:36:56 +0800 > > Starting to login... > Success!now telnet 127.0.0.1 36864 > [root@isno /root]# telnet 127.0.0.1 36864 > Trying 127.0.0.1... > Connected to 127.0.0.1. > Escape character is '^]'. > id; > uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) > : command not found > > Because the buffer is too small to set many of NOP before shellcode,it is deficult > to guess ret.And it cannot brute force offset,because once sending overflow code to > the CTRLServer, XMail will be crashed. > > PATCH: > http://www.mycio.com/davidel/xmail should release the patch. > > Excuse my poor english... It'll be fixed in 0.68. - Davide
