Vulnerability Development mailing list archives

Previous By Date Next
Previous By Thread Next

qmailadmin SUID buffer overflow

From: Thomas Cannon <tcannon () noops org>
Date: Mon, 5 Aug 2002 17:11:26 -0700 (PDT)

qmailadmin is not part of qmail. It's from http://inter7.com/qmailadmin/
and I guess you can download from there and play with it, although the
versions I am using were built from the FreeBSD ports tree and also from a
Linux RPM I grabbed from:

http://rpmfind.udoj.org/udoj/RPMS/qmailadmin-1.0-1.i386.html

For all I know this might be a fixed bug in the source from inter7. No
idea. I clicked on 'security' on their web site and saw this:

"Inter7 specializes in security through obscurity and misdirection, as
well as baiting.  These techniques, when combined with experience, are
powerful tools in protecting your network against attacks."

However, I saw nothing about "Security problem in Qmailadmin -- please
upgrade immediately," for what that's worth.

The skinny is that it installs a suid CGI program (as root from the RPM,
and setuid as a lesser priveledged user on *BSD) that has some problems if
it's run locally. The code problem is that it trusts an enviroment
variable without sanitizing or truncating it. I assume the author assumed
that nobody local would be running this binary, as it's meant to be run as
a CGI.

    tmpstr = getenv(QMAILADMIN_TEMPLATEDIR);

So, QMAILADMIN_TEMPLATEDIR is the one.

[tcannon@frobozz cgi-bin]$ ls -l qmailadmin
-rwsr-sr-x    1 root     root       198597 Nov 26  2001 qmailadmin
[tcannon@frobozz cgi-bin]$ uname -a
Linux frobozz.grassroots.com 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686
unknown
[tcannon@frobozz cgi-bin]$ export QMAILADMIN_TEMPLATEDIR=`perl -e 'print
"A" x 21000'`
[tcannon@frobozz cgi-bin]$ gdb qmailadmin
GNU gdb Red Hat Linux (5.1.90CVS-5)
Copyright 2002 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i386-redhat-linux"...
(gdb) r
Starting program: /var/www/cgi-bin/qmailadmin
Content-Type: text/html


Program received signal SIGSEGV, Segmentation fault.
0x42072a5d in rewind () from /lib/i686/libc.so.6
(gdb) i all
eax            0x41414141       1094795585   <---- HERE
ecx            0x41413fa9       1094795177
edx            0x0      0
ebx            0x4213030c       1108542220
esp            0xbfffa7f0       0xbfffa7f0
ebp            0xbfffa818       0xbfffa818
esi            0x41414141       1094795588   <---- HERE
edi            0x0      0
eip            0x42072a5d       0x42072a5d
eflags         0x210246 2163270

<snip>

So, I'm overwriting parts of memory and going places I shouldn't. But I'm
not sure how to exploit this, or even if it's really even exploitable. I'm
not getting to the EIP or EBP, and I'm not sure how to control the stack
in a way where I could execute arbitrary code. Someone else here might see
this and go, "Well, obviously... you just move this here, stuff that here,
put a return address at this spot and when it pops this frame it jumps to
there and returns this, which, obviously, runs our shellcode." Or, maybe
not. I know *I* don't know to exploit this... but if it is exploitable,
I'd certainly like to learn the technique -- which is why this is in front
of you today.

Thanks,

-thomas

"No brain, no headache"
Previous By Date Next
Previous By Thread Next

Current thread: