what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

SA-20071031-0.txt

SA-20071031-0.txt
Posted Oct 31, 2007
Authored by Bernhard Mueller | Site sec-consult.com

SEC Consult Security Advisory 20071031-0 - The Perdition Mail Retrieval Proxy versions 1.17 and below suffer from a format string vulnerability.

tags | advisory
SHA-256 | 4efe9018c77b580c8c0bdf7897b14f170b94aec142d3cc6dc57eb1e1f9e4d1f1

SA-20071031-0.txt

Change Mirror Download
SEC Consult Security Advisory < 20071031-0 >
====================================================================================
title: Perdition IMAP proxy str_vwrite format string
vulnerability
program: Perdition Mail Retrieval Proxy
vulnerable version: <=1.17
homepage: http://www.vergenet.net/
found: August 2007
by: Bernhard Mueller / SEC Consult
permanent link: http://www.sec-consult.com/300.html
====================================================================================

Vendor description:
---------------

Perdition is a fully featured POP3 and IMAP4 proxy server. It is able to
handle both SSL and non-SSL connections and redirect users to a
real-server based on a database lookup.


Vulnerability overview:
---------------

Perdition IMAPD is affected by a format string bug in one of its IMAP
output-string formatting functions. The bug allows the execution of
arbitrary code on the affected server. A successful exploit does not
require prior authentication.


Vulnerability details:
---------------

1.) In certain situations, the IMAP-Tag (first part of IMAP-command) is
copied into a character buffer without validation. This buffer is then
ultimately passed to vsnprintf() as a format string.

2.) Before the call to vsnprintf, a validation of the format string is
performed as a protection against format string injection.

>From str.c:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
168: static const char *__str_vwrite(io_t * io, const flag_t flag,
169: const size_t nargs, const char *fmt, va_list ap,
170: int *bytes)
171: {
(...)
186: fmt_args = 0;
187: for (place = 0; fmt[place] != '\0'; place++) {
188: if (fmt[place] == '%')
189: fmt[place + 1] == '%' ? place++ : fmt_args++;
190: }
191: if (fmt_args != nargs) {
(...)
195: VANESSA_LOGGER_DEBUG_UNSAFE("nargs and fmt mismatch: "
196: "%d args requested, %d args in format",
197: nargs, fmt_args);
198: return (NULL);
199: }
200:
201: *bytes = vsnprintf(__str_write_buf, STR_WRITE_BUF_LEN - 2, fmt,
ap);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


In line 187-191, the actual number of format identifiers is compared to
supposed number given in the parameter nargs. This check can however be
bypassed by injecting a null-byte in the end of the IMAP-tag. The
null-byte cuts of the rest of the string (with the original format
identifiers intended by the programmer). Therefore it is possible to
inject 'nargs' arbitrary format identifiers within the IMAP tag.
In practice, only a single format identifier can be controlled by the
attacker. This is not very nice to exploit, however arbitrary code
execution is still possible. For example, multiple successive
single-byte-writes on a global function pointer can be used to gain
control of the instruction pointer.
Due to the nature of the vulnerability, a good exploit can bypass most
OS security features (non-exec-stack, ASLR, etc.) as well as compiler
features (stack canaries,...).


Proof-of-Concept
----------------

SEC Consult has created a working proof-of-concept
(code-execution-)exploit, which will not be released to the public at
this time.
The following can be used to test for the vulnerability:

perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143


Vulnerable versions:
---------------

Perdition IMAPD <= 1.17

The vulnerability has been fixed in Perdition v1.17.1. The new tarball
and Debian packages can be found at:

http://www.vergenet.net/linux/perdition/download/1.17.1/
http://www.vergenet.net/linux/perdition/download/latest/


vendor status:
---------------
vendor notified: 2007-10-12
vendor response: 2007-10-12
patch available: 2007-10-31


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EOF Bernhard Mueller / research [AT] sec-consult [DOT] com


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close