vpopmail format string.
6ebbad5d697ac7ef139387b32850e95ff3b3ca4042883f8b7cc87b41aaf3a6d3
-= Unl0ck Team Security Advisory =-
____ ___ __ _______ __ ___________
| | \____ | | \ _ \ ____ | | __ \__ ___/___ _____ _____
| | / \| | / /_\ \_ / ___\| |/ / | |_/ __ \\__ \ / \
| | / | \ |_\ \_/ \ \___ | < | |\ ___/ / __ \| Y Y \
|______/|___| /____/\_____ /\_____ >__|_ \ |____| \___ >____ /__|_| /
\/ \/ \/ \/ \/ \/ \/
... the best way of protection is attack
http://unl0ck.net.ru || http://unl0ck.blackhatz.info
Advisory : #6 by unl0ck team
Product : vpopmail (latest version and older)
Vendor : http://sourceforge.net/projects/vpopmail
Date : 19.09.2004
Impact : format string vulnerability
Advisory URL : http://unl0ck.blackhatz.info/advisories/vpopmail2.txt or http://unl0ck.net.ru/advisories/vpopmail2.txt
-=[ Overview
Vpopmail is a set of programs for creating and managing
multiple virtual domains on a qmail server.
]=-
-=[ Vulnerability
In vactivedir.c I found format string vulnerability. In vulnerable function use fprintf() function to copy data to the file.
See:
int vdel_ip_map( char *ip, char *domain)
{
FILE *fs;
FILE *fs1;
...
while( fgets(tmpbuf, 156, fs) != NULL )
{
strncpy(tmpbuf1,tmpbuf, 156);
...
fprintf(fs1, tmpbuf1); // <= format string bug!!!
...
}
Data copying to the file without format string checking...
To avoid bug use this:
fprintf(fs1, "%s", tmpbuf1);
Tom (author of vpopmail) said that he is patched this bug, and bugfixed will be in
the upcoming 5.4.7 release.
Ok, waiting new version...
]=-
I don't want to public exploit to avoid kids usage.
-=[ Credits
Found this bug - D4rk Eagle
mailto:darkeagle@list.ru
]=-