A buffer overflow vulnerability in qwik-smtpd version 0.3 enables mail relay possibilities.
888649ccf8f78e9a7678bda4afd511220bd28d8d69c14dd4c7a1802d4efb485e
From djb@cr.yp.to Wed Dec 15 14:21:22 2004
Date: 15 Dec 2004 08:18:52 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, amir142@users.sourceforge.net,
qwikmail-talk@lists.sourceforge.net
Subject: [remote] [exhaust] qwik-smtpd overflows clientHelo buffer
Jonathan Rockway, a student in my Fall 2004 UNIX Security Holes course,
has discovered that qwik-smtpd, version 0.3, allows spammers to freely
relay mail. I'm publishing this notice, but all the discovery credits
should be assigned to Rockway.
The bug is that qwik-smtpd uses strcpy() to copy the HELO argument to a
32-byte clientHelo buffer, which is followed immediately by a localIP
buffer. If a spammer connects to qwik-smtpd and sends
HELO AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA127.0.0.1
then the localIP buffer will change to 127.0.0.1. Version 0.3 of
qwik-smtpd always allows 127.0.0.1 to relay mail.
The official 2004.10.30 patch to qwik-smtpd, fixing a format-string bug,
does not correct this problem. The CVS version of qwik-smtpd is immune
to this particular attack but has not been packaged.
---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago