Archive : 2000 : january : qmail - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku
remote root qmail-pop with vpopmail advisory and exploit with patch



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


    Date: Вс, 23 янв 2000  03:04:51

   От: "what's your style?" <ktwo@KTWO.CA>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: remote root qmail-pop with vpopmail advisory and exploit with patch

--------------------------------------------------------------------------------




w00w00 Security Advisory - http://www.w00w00.org/

Title:          qmail-pop3d with vpopmail/vchkpw

Platforms:      Any

Discovered:     7th January, 2000

Local:          Yes.

Remote:         Yes.

Author:         K2 <ktwo@ktwo.ca>

Vendor Status:  Notified.

Last Updated:   N/A



1. Overview



qmail-pop3d may pass an overly long command argument to it's password

authentication service.  When vpopmail is used to authenticate user

information a remote attacker may compromise the privilege level that

vpopmail is running, naturally root.



2. Background



It is Qmail's nonconformance to the pop3 specification that allows

this bug to manifest itself. qmail-pop3d trust's that it's checkpassword



mechanism will support the same undocumented "features" as it dose, it

is this extra functionality that breaks vpopmail and RFC1939.



>From RFC1939 [Post Office Protocol - Version 3]

--------------------------------------------------------

  Commands in the POP3 consist of a caseinsensitive keyword, possibly

  followed by one or more arguments.  All commands are terminated by a

  CRLF pair.  Keywords and arguments consist of printable ASCII

  characters.  Keywords and arguments are each separated by a single

  SPACE character.  Keywords are three or four characters long. Each

  argument may be up to 40 characters long.

--------------------------------------------------------



>From BLURB3 (qmail-1.03)

--------------------------------------------------------

POP3 service (qmail-popup, qmail-pop3d):

*  RFC 1939

*  UIDL support

*  TOP support

*  APOP hook

*  modular password checking (checkpassword, available separately)

--------------------------------------------------------



3. Issue



qmail-pop3d claims compliance to RFC1939, however this is not the case

qmail breaks that compliance by allowing overly long argument lengths

to be processed.  qmail then passes control to a process without

documenting this added bug/feature.



4. Impact



A remote attacker may attain the privilege level of the authentication

module.

Sample exploit code can be found at http://www.ktwo.ca/security.html



5. Recommendation



Impose the 40 character limitation specified by RFC1939 into qmail.

Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch



6. References



RFC1939

qmail-1.03/BLURB3



--------------------------------------------------------

K2

www.ktwo.ca / ktwo@ktwo.ca
test server