Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

procmail

From: Adam Zabrocki <pi3ki31ny () wp pl>
Date: 12 Oct 2003 07:20:55 -0000


Procmail vulnerability or not!?.

I.  Entry.

    For me vuln are all version procmail (I read source last version 
procmail). Type of problem is format string with call syslog() function
on rnmbogus() function.

II. Vulnerability details.

    Vulnerability function is rnmbogus(). There is simple format
string bug (for me), when function use syslog():

"in file src/foldinfo.c"
int rnmbogus(name,stbuf,i,dolog)const char*const name;        /* move a file */
 const struct stat*const stbuf;const int i,dolog;          /* out of the way */
{
...
...
  if(rename(name,buf2))                    /* try and move it out of the way */
   { syslog(LOG_ALERT,renfbogus,name,buf2);              /* danger!  danger! */
     return 1;
   }
  syslog(LOG_CRIT,renbogus,name,buf2);
  return 0;
}

Argument name is used by syslog().
Now look to function trymkdir() and screenmailbox():

"in file src/foldinfo.c"
static mode_t trymkdir(dir,paranoid,i)const char*const dir;
 const int paranoid,i;
{
...
...
        else if(rnmbogus(dir,&stbuf,i,1))  /* try and move it out of the way */
...
...
}

"in file src/foldinfo.c"
int screenmailbox(chp,egid,Deliverymode)
 char*chp;const gid_t egid;const int Deliverymode;
{
...
...
  strcpy(buf,chp);
...
...
               { int i=lastdirsep(buf)-buf;
                 memcpy(buf2,buf,i);buf2[i]='\0';
                 if(rnmbogus(buf,&stbuf,i,1))
                    goto fishy;
                 goto nobox;
               }
...
...
}

In function trymkdir() we have control with argument dir and in function screenmailbox()
we have control with argument buf. Now look to function main() (for screenmailbox fucntion)
and mkmaildir() (for trymkdir function):

"in file src/procmail.c"
int main(argc,argv)int argc;const char*const argv[];
{ register char*chp,*chp2;
...
...
                 case DELIVEROPT:
                    if(!*(chp= ++chp2)&&!(chp=(char*)argv[++argc]))
                     { nlog(misrecpt);
                       break;
                     }
                    else
                     { Deliverymode=1;
                       goto last_option;
                     }
...
...
        nlog(misrecpt),Deliverymode=0;
...
...
     if(mailfilter||!screenmailbox(chp,egid,Deliverymode))
...
...
}

"in file src/foldinfo.c"
static int mkmaildir(buffer,chp,paranoid)char*const buffer,*const chp;
 const int paranoid;
{ mode_t mode;int i;
  if(paranoid)
     memcpy(buf2,buffer,i=chp-buffer+1),buf2[i-1]= *MCDIRSEP_,buf2[i]='\0';
  return
   (strcpy(chp,maildirnew),mode=trymkdir(buffer,paranoid,i),S_ISDIR(mode))&&
   (strcpy(chp,maildircur),mode=trymkdir(buffer,paranoid,i),S_ISDIR(mode))&&
   (strcpy(chp,maildirtmp),mode=trymkdir(buffer,paranoid,i),S_ISDIR(mode));
}                                             /* leave tmp in buf on success */

In function main() we have control on chp. In function mkmaildir we have
control with buffer. Now look to function foldertype():

"in file src/foldinfo.c"
int foldertype(type,forcedir,modep,paranoid)int type,forcedir;
 mode_t*const modep;struct stat*const paranoid;
{
...
...
  if(!S_ISDIR(mode)||(type==ft_MAILDIR&&
   (forcedir=1,!mkmaildir(buf,chp,paranoid!=0))))
...
...
}

And we probably don't have control with buf ;( but we have in theory all control
to do format string bug with use function rnmbogus(). Meybe it is bug?

III. Exploit.

    Nah :-) Read second section :P


Btw. Procmail have realy FUCKED UP source ;(

--
pi3 (pi3ki31ny) - pi3ki31ny () wp pl
http://www.pi3.int.pl

"Zycie jest bardziej jebniete niz sie zdaje"
Previous By Date Next
Previous By Thread Next

Current thread: