From djb@cr.yp.to Wed Dec 15 14:21:22 2004
Date: 15 Dec 2004 08:18:52 -0000
From: D. J. Bernstein <djb@cr.yp.to>
To: securesoftware@list.cr.yp.to, amir142@users.sourceforge.net,
     qwikmail-talk@lists.sourceforge.net
Subject: [remote] [exhaust] qwik-smtpd overflows clientHelo buffer

Jonathan Rockway, a student in my Fall 2004 UNIX Security Holes course,
has discovered that qwik-smtpd, version 0.3, allows spammers to freely
relay mail. I'm publishing this notice, but all the discovery credits
should be assigned to Rockway.

The bug is that qwik-smtpd uses strcpy() to copy the HELO argument to a
32-byte clientHelo buffer, which is followed immediately by a localIP
buffer. If a spammer connects to qwik-smtpd and sends

   HELO AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA127.0.0.1

then the localIP buffer will change to 127.0.0.1. Version 0.3 of
qwik-smtpd always allows 127.0.0.1 to relay mail.

The official 2004.10.30 patch to qwik-smtpd, fixing a format-string bug,
does not correct this problem. The CVS version of qwik-smtpd is immune
to this particular attack but has not been packaged. 

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago