SUMMARY

I discovered all versions of XMail<http://www.mycio.com/davidel/xmail> have
buffer overflow vulnerabilities in CTRLServer.These holes is NOT same as
APOP,USER command buffer overflow vulnerability discovered beforetime.And
this problem allows a remote attacker to execute arbitrary code by issuing a
long cfgfileget(cfgfileset,domainadd,domaindel)command.

DETAILS

Vulnerable systems:
XMail version 0.66 and prior version

Immune systems:
None

CTRLServer is a tool of XMail for administering purpose.It listen on port 
6017(tunable).
there are some bad programming lead to vulnerabilities.

In CTRLSvr.cpp
line 1888: CTRLDo_domainadd() function
StrLower(strcpy(szDomain, ppszTokens[1]));

szDomain is a 256 bytes local buffer,ppszTokens[1] is parsed from user input
command,XMail copies them without bounds checking.It is possible to cause
cover EIP,because XMail is run as root,an attacker can execute arbitrary code
with root privilege.

There are same vulnerabilities in CTRLSvr.cpp
line 1921: CTRLDo_domaindel() function
StrLower(strcpy(szDomain, ppszTokens[1]));

line 2448: CTRLDo_cfgfileget() function
strcpy(szRelativePath, ppszTokens[1]);

line 2523: CTRLDo_cfgfileset() function
strcpy(szRelativePath, ppszTokens[1]);

Before exploit the vulnerabilities,it is need to login with CTRLServer
username&password.I think it is easy to get that by brute forcing.

I wrote a program to test the vulnerabilities,on my Redhat 6.0 i386+XMail 0.65
(0.66 has same bugs):

[root@isno /root]# gcc -o xmailx xmailx.c
[root@isno /root]# ./xmailx isno mypasswd 127.0.0.1

Use retAddress: 0xbc7fe974

+00000 <[EMAIL PROTECTED]> XMail 0.65 (Linux/Ix86) CTRL Server; Thu, 01 Feb 
+2001 16:36:56 +0800

Starting to login...
Success!now telnet 127.0.0.1 36864
[root@isno /root]# telnet 127.0.0.1 36864
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
id;
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
: command not found

Because the buffer is too small to set many of NOP before shellcode,it is deficult
to guess ret.And it cannot brute force offset,because once sending overflow code to
the CTRLServer, XMail will be crashed.

PATCH:
http://www.mycio.com/davidel/xmail should release the patch.

Excuse my poor english...


 isno
 [EMAIL PROTECTED]

xmailx.c

Reply via email to