Re: XMail CTRLServer remote buffer overflow vulnerability

[davidel () XMAIL VIRUSSCREEN COM]

> SUMMARY
>
> I discovered all versions of
XMail<http://www.mycio.com/davidel/xmail> have
> buffer overflow vulnerabilities in
CTRLServer.These holes is NOT same as
> APOP,USER command buffer overflow vulnerability
discovered beforetime.And
> this problem allows a remote attacker to execute
arbitrary code by issuing a
> long
cfgfileget(cfgfileset,domainadd,domaindel)command.
> DETAILS
>
> Vulnerable systems:
> XMail version 0.66 and prior version
>
> Immune systems:
> None
>
> CTRLServer is a tool of XMail for administering
purpose.It listen on port 6017(tunable).
> there are some bad programming lead to
vulnerabilities.
> In CTRLSvr.cpp
> line 1888: CTRLDo_domainadd() function
> StrLower(strcpy(szDomain, ppszTokens[1]));
>
> szDomain is a 256 bytes local
buffer,ppszTokens[1] is parsed from user input
> command,XMail copies them without bounds
checking.It is possible to cause
> cover EIP,because XMail is run as root,an
attacker can execute arbitrary code
> with root privilege.
>
> There are same vulnerabilities in CTRLSvr.cpp
> line 1921: CTRLDo_domaindel() function
> StrLower(strcpy(szDomain, ppszTokens[1]));
>
> line 2448: CTRLDo_cfgfileget() function
> strcpy(szRelativePath, ppszTokens[1]);
>
> line 2523: CTRLDo_cfgfileset() function
> strcpy(szRelativePath, ppszTokens[1]);
>
> Before exploit the vulnerabilities,it is need to
login with CTRLServer
> username&password.I think it is easy to get that
by brute forcing.
> I wrote a program to test the vulnerabilities,on
my Redhat 6.0 i386+XMail 0.65
> (0.66 has same bugs):
>
> [root@isno /root]# gcc -o xmailx xmailx.c
> [root@isno /root]# ./xmailx isno mypasswd
127.0.0.1
> Use retAddress: 0xbc7fe974
>
> +00000 <981016616.25626@127.0.0.1> XMail 0.65
(Linux/Ix86) CTRL Server; Thu, 01 Feb 2001
16:36:56 +0800
> Starting to login...
> Success!now telnet 127.0.0.1 36864
> [root@isno /root]# telnet 127.0.0.1 36864
> Trying 127.0.0.1...
> Connected to 127.0.0.1.
> Escape character is '^]'.
> id;
> uid=0(root) gid=0(root)
groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)
> : command not found
>
> Because the buffer is too small to set many of
NOP before shellcode,it is deficult
> to guess ret.And it cannot brute force
offset,because once sending overflow code to
> the CTRLServer, XMail will be crashed.
>
> PATCH:
> http://www.mycio.com/davidel/xmail should
release the patch.
> Excuse my poor english...


It'll be fixed in 0.68.


- Davide