Twenty Year Anniversary

Vpopmail / QmailAdmin Integer Overflows

Vpopmail / QmailAdmin Integer Overflows
Posted May 10, 2009
Authored by Jacobo Avariento Gimeno

Vpopmail and QmailAdmin are prone to several integer overflows related to quotas.

tags | advisory, overflow
MD5 | 9b43d83218176ddf5f3688d4bc8fcabe

Vpopmail / QmailAdmin Integer Overflows

Change Mirror Download

Author: Jacobo Avariento Gimeno (Sofistic S.L.)
Contact: [jacobo [at] sofistic.net]
Release Date: May 8, 2009
CVE/bugtraq id: Not assigned yet
Severity: Low/Medium


Vendor's Description of Software:
-------------------------------------------------------------------------------------
„Vpopmail is a free GPL package developed by Inter7 to provide an easy
way to manage virtual email domains and non /etc/passwd email accounts
for qmail or postfix mail servers.“ [1]

„qmailAdmin is a free software package that provides a web interface
for managing a qmail system with virtual domains.“ [2]



Description of Vulnerability:
-------------------------------------------------------------------------------------
Vpopmail and QmailAdmin are prone to several Integer Overflows due that
numeric types of more range are needed to store user's quota nowadays.
Using an integer is not enough because gets overflowed when the user
has more than 2 Gigabytes in his/her mailbox, furthermore a long
integer is neither the solution because a long integer has the same
range than an integer in 32-bits machines.



Vulnerable versions:
-------------------------------------------------------------------------------------
*ALL*



Analysis of the vulnerable code:
-------------------------------------------------------------------------------------
There are several functions/files to fix in vpopmail and qmailadmin:

* vpopmail-5.5.0: quota.c, function quota_percent
* vpopmail-5.5.0: vuserinfo.c, function display_user
* qmailadmin-1.2.12: function quota_to_megabytes
* qmailadmin-1.2.12: function maildirquota.c, wrapreaduserquota,
readdomainquota, readuserquota
* …

In general, any variable that holds user's quota.



Proof of Concept:
-------------------------------------------------------------------------------------
Just try to set more than 2GB quota to a user ("./vsetuserquota
user@domain $((3*1024*1024*1024))") and see with ("./vuserinfo
user@domain") that the user's quota usage is always 100%, or with
qmailadmin the quota never grows, gets stalled at 2048 MB.

Put more than 2 GB of data in a mailbox and see that the quota
overflows, i.e. -1114.49 / unlimited.



Solution:
-------------------------------------------------------------------------------------
There are no official patches yet, all the sysadmins that use
vpopmail/qmailadmin should be aware of this because vendor gave me no
date to release a new version or patch.

To fix that, no "int" neither "long" neither "off_t" should be used,
using a "long long int" the problem is just fixed until the near
future :) Also, casting is neither a solution when the variable was
already overflowed as in newest version (vpopmail 5.5.0: maildirquota.c
line 294).



Disclosure Timeline:
-------------------------------------------------------------------------------------
* 20/Apr/2009: Vendor is first time notified.
* 20/Apr/2009: Vendor responses that was already fixed in 5.5 branch.
* 23/Apr/2009: Vendor is notified again that the problem was not fixed.
* 23/Apr/2009: Vendor responses that there is no qmailadmin version
compatible with 5.5 branch yet.
* 29/Apr/2009: Vendor is asked when they are planning to release patch
or new version and no response was received.
* 8/May/2009: Public Disclosure of the vulnerability.



References:
-------------------------------------------------------------------------------------
[1] http://www.inter7.com/index.php?page=vpopmail
[2] http://www.inter7.com/index.php?page=qmailadmin



This advisory was also published at
http://www.sofistic.net/advisories/0901


--
Jacobo Avariento Gimeno
IT Security Department @ Sofistic
Your security, our concern!
http://sofistic.net


"En los momentos débiles, las acciones más fuertes"

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

May 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    15 Files
  • 2
    May 2nd
    17 Files
  • 3
    May 3rd
    30 Files
  • 4
    May 4th
    29 Files
  • 5
    May 5th
    2 Files
  • 6
    May 6th
    3 Files
  • 7
    May 7th
    13 Files
  • 8
    May 8th
    27 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    15 Files
  • 11
    May 11th
    8 Files
  • 12
    May 12th
    2 Files
  • 13
    May 13th
    8 Files
  • 14
    May 14th
    7 Files
  • 15
    May 15th
    43 Files
  • 16
    May 16th
    19 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    15 Files
  • 19
    May 19th
    3 Files
  • 20
    May 20th
    6 Files
  • 21
    May 21st
    1 Files
  • 22
    May 22nd
    0 Files
  • 23
    May 23rd
    0 Files
  • 24
    May 24th
    0 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close