IIL Advisory: Format String bug in Null Webmail (0.6.3)

From: DownBload (downbloadat_private)
Date: Wed Sep 25 2002 - 02:04:32 PDT

Next message: Gossi The Dog: "Re: Information Disclosure with Invision Board installation (fwd)"

Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:060-17] Updated Zope packages are available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) [ Illegal Instruction Labs Advisory ] [-------------------------------------------------------------------------] Advisory name: Format String bug in Null Webmail (0.6.3) Advisory number: 7 Application: Null Webmail 0.6.3 Author: Dan Cahill E-mail: cahillat_private Homepage: http://http://www.nulllogic.com/webmail/ Date: 1.07.2002 Impact: I don't know (yet) Tested on: nowhere Discovered by: DownBload Mail me @: downbloadat_private ======[ Overview Null Webmail is CGI interface to SMTP & POP3 server (you can read and send mail with your browser). It is written in C. You can find Null Webmail on sourceforge. ======[ Problem Null Webmail has format string bug in logdata() and wmprintf(), but logdata() is inside /* */, so logdata() isn't interesting to us. Here comes the buggy code: ---[ wmserver.c ... /* void logdata(const char *format, ...) /* <--- NOT INTERESTING */ { char logbuffer[1024]; char file[200]; va_list ap; FILE *fp; #ifdef WIN32 snprintf(file, sizeof(file)-1, "C:\\webmail.log"); #else snprintf(file, sizeof(file)-1, "/tmp/webmail.log"); #endif fp=fopen(file, "a"); if (fp!=NULL) { va_start(ap, format); vsnprintf(logbuffer, sizeof(logbuffer)-1, format, ap); va_end(ap); fprintf(fp, "%s", logbuffer); fclose(fp); } } */ int wmprintf(const char *format, ...) /* <--- INTERESTING FUNCTION */ { char buffer[1024]; va_list ap; va_start(ap, format); vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING va_end(ap); send(wmsocket, buffer, strlen(buffer), 0); // logdata (">> %s", buffer); return 0; } ... ---[ call wmprinf() ... wmprintf("USER %s\r\n", wmusername); ... wmprintf("PASS %s\r\n", wmpassword); ... wmprintf("MAIL From: %s\r\n", ptemp); ... wmprintf("RCPT To: <%s>\r\n", msgaddr); ... wmprintf("From: %s\r\n", wmaddress); wmprintf("To: %s\r\n", msgto); ... wmprintf("Subject: %s\r\n", msgsubject); ... etc. Here we have few wmprintf() calls, and I think that we can put our 'NASTY %sTRING' in all that variables :). ======[ Example Can't test this bug!!! If I'm wrong about this format string bug in Null Webmail, I'm very sorry. ======[ Greetz Greetz goes to #hr.hackers & #linux <irc.carnet.hr>. Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, Fr1c, phreax, harlequin, LekaMan, Astral and www.active-security.org (NetZero & Paradox).

Next message: Gossi The Dog: "Re: Information Disclosure with Invision Board installation (fwd)"
Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:060-17] Updated Zope packages are available"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 25 2002 - 09:19:39 PDT