remote root qmail-pop with vpopmail advisory and exploit with

From: what's your style? (ktwoat_private)
Date: Sat Jan 22 2000 - 16:04:51 PST

Next message: Erik Fichtner: "Re: explanation and code for stream.c issues"

Previous message: Ken Lyon: "Re: tcpdump under RedHat 6.1"
Next in thread: iv0: "Re: remote root qmail-pop with vpopmail advisory and exploit with"
Reply: iv0: "Re: remote root qmail-pop with vpopmail advisory and exploit with"
Reply: iv0: "Re: remote root qmail-pop with vpopmail advisory and exploit with"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

w00w00 Security Advisory - http://www.w00w00.org/
Title:          qmail-pop3d with vpopmail/vchkpw
Platforms:      Any
Discovered:     7th January, 2000
Local:          Yes.
Remote:         Yes.
Author:         K2 <ktwoat_private>
Vendor Status:  Notified.
Last Updated:   N/A

1. Overview

qmail-pop3d may pass an overly long command argument to it's password
authentication service.  When vpopmail is used to authenticate user
information a remote attacker may compromise the privilege level that
vpopmail is running, naturally root.

2. Background

It is Qmail's nonconformance to the pop3 specification that allows
this bug to manifest itself. qmail-pop3d trust's that it's checkpassword

mechanism will support the same undocumented "features" as it dose, it
is this extra functionality that breaks vpopmail and RFC1939.

>From RFC1939 [Post Office Protocol - Version 3]
--------------------------------------------------------
  Commands in the POP3 consist of a caseinsensitive keyword, possibly
  followed by one or more arguments.  All commands are terminated by a
  CRLF pair.  Keywords and arguments consist of printable ASCII
  characters.  Keywords and arguments are each separated by a single
  SPACE character.  Keywords are three or four characters long. Each
  argument may be up to 40 characters long.
--------------------------------------------------------

>From BLURB3 (qmail-1.03)
--------------------------------------------------------
POP3 service (qmail-popup, qmail-pop3d):
*  RFC 1939
*  UIDL support
*  TOP support
*  APOP hook
*  modular password checking (checkpassword, available separately)
--------------------------------------------------------

3. Issue

qmail-pop3d claims compliance to RFC1939, however this is not the case
qmail breaks that compliance by allowing overly long argument lengths
to be processed.  qmail then passes control to a process without
documenting this added bug/feature.

4. Impact

A remote attacker may attain the privilege level of the authentication
module.
Sample exploit code can be found at http://www.ktwo.ca/security.html

5. Recommendation

Impose the 40 character limitation specified by RFC1939 into qmail.
Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch

6. References

RFC1939
qmail-1.03/BLURB3

--------------------------------------------------------
K2
www.ktwo.ca / ktwoat_private

Next message: Erik Fichtner: "Re: explanation and code for stream.c issues"
Previous message: Ken Lyon: "Re: tcpdump under RedHat 6.1"
Next in thread: iv0: "Re: remote root qmail-pop with vpopmail advisory and exploit with"
Reply: iv0: "Re: remote root qmail-pop with vpopmail advisory and exploit with"
Reply: iv0: "Re: remote root qmail-pop with vpopmail advisory and exploit with"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:29:52 PDT