Qwik SMTPD format string.
c5516163e37b94e1ba58d1f2bbc018b82c0c69f9963be4a53934a747260050c9
-= Unl0ck Team Security Advisory =-
____ ___ __ _______ __ ___________
| | \____ | | \ _ \ ____ | | __ \__ ___/___ _____ _____
| | / \| | / /_\ \_ / ___\| |/ / | |_/ __ \\__ \ / \
| | / | \ |_\ \_/ \ \___ | < | |\ ___/ / __ \| Y Y \
|______/|___| /____/\_____ /\_____ >__|_ \ |____| \___ >____ /__|_| /
\/ \/ \/ \/ \/ \/ \/
... the best way of protection is attack
http://unl0ck.net.ru || http://unl0ck.info
Advisory : #9 by unl0ck team
Product : qwik-smtpd (latest version).
Vendor : http://qwikmail.sourceforge.net/
Date : 31.10.2004
Impact : format string vulnerability
Vendor Status : Released Patch. http://qwikmail.sourceforge.net/smtpd/qwik-smtpd-0.3.patch
Advisory URL : http://unl0ck.info/advisories/qwik-smtpd.txt
-=[ Overview
It is an SMTP (mail) server that supports SMTP and ESMTP. Once finished,
it will be very secure, hopefully with the same reputation as qmail.
]=-
-=[ Vulnerability
I found format string bug in Qwik-SMTP daemon.
See this:
File: qwik-smtpd.c
sprintf(Received,"Received: from %s (HELO %s) (%s) by %s with SMTP; %s\n", clientHost,
clientHelo, clientIP, localHost, timebuf);
...
else
{
fprintf(fpout,Received);
...
As you can see, bug found in main() function. This type is REMOTE.
We don't want to release an exploit to avoid kids usage.
-=[ Credits
Found this bug Dark Eagle
mailto:darkeagle@list.ru
(c) Darkeagle
]=-