------------------------------------------
www.inter7.com
Inter7 Internet Technologies, Inc.
Internal Advisory
------------------------------------------
Date 04/10/2001
Category Security
Item qmailadmin
Severity Medium
Distribution Public
Status Fixed - New version available
(http://www.inter7.com/qmailadmin/qmailadmin-0.44.tar.gz)
Summary:
A buffer overflow condition exists in the qmailadmin package which
potentially could allow for a local, or remote attacker to execute
arbitrary
code on the victim's system as the vpopmail user. All versions are
vulnerable.
Full description:
The language template code doesn't do bounds checking when copying
the
HTTP_ACCEPT_LANGUAGE environment variable to a buffer. The actual
offending
code exists in two places in the code (in later versions).
qmailadmin.c init_globals():
char *tmpstr;
char tmpbuf[40];
tmpstr = getenv("HTTP_ACCEPT_LANGUAGE");
.
.
strcpy(tmpbuf, tmpstr);
util.c open_lang(char *lang): (later versions only)
char tmpbuf[200];
char *tmpstr;
tmpstr = getenv(QMAILADMIN_TEMPLATEDIR);
.
.
sprintf(tmpbuf, "%s/%s", tmpstr, lang);
qmailadmin's install scripts set qmailadmin by default as SUID vpopmail.
While this does not automatically lend itself to a root compromise, an
attacker could potentially send offending code which would lead to
a shell owned by the vpopmail user which allows for further compromises,
and of course, full access to the vpopmail data areas.
Patch:
Please download the latest distribution at
http://www.inter7.com/qmailadmin/qmailadmin-0.44.tar.gz
--
[EMAIL PROTECTED]
Inter7 Internet Technologies, Inc.
www.inter7.com - 847-492-0470
Prices at http://www.inter7.com/prices
