qmailadmin is not part of qmail. It's from http://inter7.com/qmailadmin/ and I guess you can download from there and play with it, although the versions I am using were built from the FreeBSD ports tree and also from a Linux RPM I grabbed from: http://rpmfind.udoj.org/udoj/RPMS/qmailadmin-1.0-1.i386.html For all I know this might be a fixed bug in the source from inter7. No idea. I clicked on 'security' on their web site and saw this: "Inter7 specializes in security through obscurity and misdirection, as well as baiting. These techniques, when combined with experience, are powerful tools in protecting your network against attacks." However, I saw nothing about "Security problem in Qmailadmin -- please upgrade immediately," for what that's worth. The skinny is that it installs a suid CGI program (as root from the RPM, and setuid as a lesser priveledged user on *BSD) that has some problems if it's run locally. The code problem is that it trusts an enviroment variable without sanitizing or truncating it. I assume the author assumed that nobody local would be running this binary, as it's meant to be run as a CGI. tmpstr = getenv(QMAILADMIN_TEMPLATEDIR); So, QMAILADMIN_TEMPLATEDIR is the one. [tcannon@frobozz cgi-bin]$ ls -l qmailadmin -rwsr-sr-x 1 root root 198597 Nov 26 2001 qmailadmin [tcannon@frobozz cgi-bin]$ uname -a Linux frobozz.grassroots.com 2.4.18-3 #1 Thu Apr 18 07:37:53 EDT 2002 i686 unknown [tcannon@frobozz cgi-bin]$ export QMAILADMIN_TEMPLATEDIR=`perl -e 'print "A" x 21000'` [tcannon@frobozz cgi-bin]$ gdb qmailadmin GNU gdb Red Hat Linux (5.1.90CVS-5) Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (gdb) r Starting program: /var/www/cgi-bin/qmailadmin Content-Type: text/html Program received signal SIGSEGV, Segmentation fault. 0x42072a5d in rewind () from /lib/i686/libc.so.6 (gdb) i all eax 0x41414141 1094795585 <---- HERE ecx 0x41413fa9 1094795177 edx 0x0 0 ebx 0x4213030c 1108542220 esp 0xbfffa7f0 0xbfffa7f0 ebp 0xbfffa818 0xbfffa818 esi 0x41414141 1094795588 <---- HERE edi 0x0 0 eip 0x42072a5d 0x42072a5d eflags 0x210246 2163270 <snip> So, I'm overwriting parts of memory and going places I shouldn't. But I'm not sure how to exploit this, or even if it's really even exploitable. I'm not getting to the EIP or EBP, and I'm not sure how to control the stack in a way where I could execute arbitrary code. Someone else here might see this and go, "Well, obviously... you just move this here, stuff that here, put a return address at this spot and when it pops this frame it jumps to there and returns this, which, obviously, runs our shellcode." Or, maybe not. I know *I* don't know to exploit this... but if it is exploitable, I'd certainly like to learn the technique -- which is why this is in front of you today. Thanks, -thomas "No brain, no headache"
This archive was generated by hypermail 2b30 : Mon Aug 05 2002 - 18:06:05 PDT