Re: Lame crash in qmail-smtpd and memory overwrite according to gdb, yet still qmail much better than windows

[Scott Gifford <sgifford () suspectclass com>]

Serafino Sorrenti <ml () ssorrenti com> writes:

> http://www.guninski.com/qmailcrash.html
>
>
> Georgi Guninski security advisory #65, 2004
>
> Lame crash in qmail-smtpd and memory overwrite according to gdb, yet
> still qmail much better than windows
>
> Systems affected:
> qmail 1.03 on linux, don't know about other OSes.
>
>
> Risk: Unknown. maybe so, maybe no.
> Date: 15 January 2004

We've had extensive discussion about this on the qmail list, and it
seems quite likely that this is not an exploitable bug.  The bug is a
signed integer wrapping from positive to negative and being used as an
array subscript.  Immediately after it wraps, qmail-smtpd references a
memory address which is way out-of-bounds and triggers SIGSEGV.  There
doesn't appear to be a way to cause a different subscript to be used
which would allow any real memory locations to be overwritten.

The apparent memory overwrite seems to be an artifact of a gdb bug,
and not a memory overwrite at all.  Only some people (not including
me) have been able to reproduce it, and nobody's been able to make
qmail actually execute anything fishy.  It sounds quite similar to the
gdb bug reported in Debian bug 154154:

    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=154154

There are a number of very simple unofficial patches available.  The
fix is included with a few others in a patch by James Craig Burley,
which I've personally tested.  It's available at:

    http://www.jcb-sc.com/qmail/patches/qmail-isoc.patch

More information and discussion are available in the recent qmail list
archives:

    http://www.ornl.gov/lists/mailing-lists/qmail/2004/01/maillist.html

------ScottG.