4720903 2000-01-24 13:25 /88 rader/ Postmaster
Mottagare: Bugtraq (import) <9469>
Ärende: remote root qmail-pop with vpopmail advisory and exploit wit
------------------------------------------------------------
patch
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: bugtraq@securityfocus.com
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <388A45A2.B3798973@ktwo.ca>
Date: Sat, 22 Jan 2000 16:04:51 -0800
Reply-To: "what's your style?" <ktwo@KTWO.CA>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: "what's your style?" <ktwo@KTWO.CA>
Organization: WSD
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
w00w00 Security Advisory - http://www.w00w00.org/
Title: qmail-pop3d with vpopmail/vchkpw
Platforms: Any
Discovered: 7th January, 2000
Local: Yes.
Remote: Yes.
Author: K2 <ktwo@ktwo.ca>
Vendor Status: Notified.
Last Updated: N/A
1. Overview
qmail-pop3d may pass an overly long command argument to it's password
authentication service. When vpopmail is used to authenticate user
information a remote attacker may compromise the privilege level that
vpopmail is running, naturally root.
2. Background
It is Qmail's nonconformance to the pop3 specification that allows
this bug to manifest itself. qmail-pop3d trust's that it's
checkpassword
mechanism will support the same undocumented "features" as it dose, it
is this extra functionality that breaks vpopmail and RFC1939.
>From RFC1939 [Post Office Protocol - Version 3]
--------------------------------------------------------
Commands in the POP3 consist of a caseinsensitive keyword, possibly
followed by one or more arguments. All commands are terminated by a
CRLF pair. Keywords and arguments consist of printable ASCII
characters. Keywords and arguments are each separated by a single
SPACE character. Keywords are three or four characters long. Each
argument may be up to 40 characters long.
--------------------------------------------------------
>From BLURB3 (qmail-1.03)
--------------------------------------------------------
POP3 service (qmail-popup, qmail-pop3d):
* RFC 1939
* UIDL support
* TOP support
* APOP hook
* modular password checking (checkpassword, available separately)
--------------------------------------------------------
3. Issue
qmail-pop3d claims compliance to RFC1939, however this is not the case
qmail breaks that compliance by allowing overly long argument lengths
to be processed. qmail then passes control to a process without
documenting this added bug/feature.
4. Impact
A remote attacker may attain the privilege level of the authentication
module.
Sample exploit code can be found at http://www.ktwo.ca/security.html
5. Recommendation
Impose the 40 character limitation specified by RFC1939 into qmail.
Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch
6. References
RFC1939
qmail-1.03/BLURB3
--------------------------------------------------------
K2
www.ktwo.ca / ktwo@ktwo.ca
(4720903) ------------------------------------------(Ombruten)
4724080 2000-01-25 03:35 /34 rader/ Postmaster
Mottagare: Bugtraq (import) <9484>
Ärende: Re: remote root qmail-pop with vpopmail advisory and exploit wit
------------------------------------------------------------
patch (fwd)
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <388C77F7.A1092B41@inter7.com>
Date: Mon, 24 Jan 2000 10:04:07 -0600
Reply-To: iv0 <kbo@INTER7.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: iv0 <kbo@INTER7.COM>
Organization: Inter7
X-To: Robert Varga <robi@piros.zold.net>
X-cc: Adam McKenna <adam-qmail@flounder.net>
qmail@list.cr.yp.to, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
Robert Varga wrote:
>
> On Sun, 23 Jan 2000, iv0 wrote:
>
> >
> > I recommend upgrading to the latest version of vpopmail which fixes
> > the exploit. Pick up the current stable version:
>
> So it is fixed from version 3.4.11?
>
> Robert Varga
Yes, version 3.4.11j as of Jan 20th has the fix.
Ken Jones
(4724080) ------------------------------------------
4724113 2000-01-25 05:26 /55 rader/ Postmaster
Mottagare: Bugtraq (import) <9492>
Ärende: Re: remote root qmail-pop with vpopmail advisory and exploit wit
------------------------------------------------------------
patch (fwd)
Approved-By: aleph1@SECURITYFOCUS.COM
Delivered-To: bugtraq@lists.securityfocus.com
Delivered-To: BUGTRAQ@SECURITYFOCUS.COM
X-Accept-Language: en
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <388BD67D.43E0FD4D@inter7.com>
Date: Sun, 23 Jan 2000 22:35:09 -0600
Reply-To: iv0 <kbo@INTER7.COM>
Sender: Bugtraq List <BUGTRAQ@SECURITYFOCUS.COM>
From: iv0 <kbo@INTER7.COM>
Organization: Inter7
X-To: Adam McKenna <adam-qmail@flounder.net>
X-cc: qmail@list.cr.yp.to, BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
I recommend upgrading to the latest version of vpopmail which fixes
the exploit. Pick up the current stable version:
http://www.inter7.com/vpopmail/
vchkpw - which authenticates a user with information from qmail-pop
up was storing the information in a staticly defined buffer. There
was no buffer over run checking done. Current stable version now
checks for buffer overruns in several places. A security
audit of the code is being done. Which it sorely needs.
Ken Jones
http://www.inter7.com/
Adam McKenna wrote:
>
> In that case, what would you recommend?
>
> --Adam
>
> On Sun, Jan 23, 2000 at 10:53:31PM -0500, Russell Nelson wrote:
> > > 5. Recommendation
> > >
> > > Impose the 40 character limitation specified by RFC1939 into qmail.
> > > Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch
> >
> > I don't recommend applying that patch. Every line of it is wrong. It
> > makes qmail-popup less secure, by inserting a call to syslog(), which
> > is a security disaster. It also sucks in the string library, which
> > includes the well-known security hole sprintf().
> >
> > --
> > -russ nelson <sig@russnelson.com> http://russnelson.com
> > Crynwr sells support for free software | PGPok | "Ask not what your country
> > 521 Pleasant Valley Rd. | +1 315 268 1925 voice | can force other people to
> > Potsdam, NY 13676-3213 | +1 315 268 9201 FAX | do for you..." -Perry M.
> >
(4724113) ------------------------------------------