|
Bugtraq readers,
eXtremail is a free integrated pop3/smtpd mail daemon for Linux
(x86), although
it is free it is closed sourced software. It has been found that
the majority of the
newer versions are vulnerable to a remotely exploitable format
string condition.
The following versions are confirmed to be vulnerable to this
condition:
eXtremail v1.1.5
eXtremail v1.1.6
eXtremail v1.1.7
eXtremail v1.1.8
eXtremail v1.1.9
Note: Version 1.1.3 is also presumed to be vulnerable but that
version was not
available for testing, although I have strong reason to assume
that it is.
The format string problem is located in the flog() function, and
is caused by the
use of user defined data as the format string for an fprintf()
statement. This problem
can be exploited remotely to yield remote root privileges,
through sending
appropriately constructed strings as the arguments to the
following commands:
Smtpd - HELO / EHLO / MAIL FROM:<....@....> / RCPT TO:<....@....>
Pop3 - USER (+ others requiring a suitable login).
This issue has been patched as of version 1.1.10, it is
advisable that current or
prospective users download this version as soon as possible.
This is obtainable
from the eXtremail homepage found at http://www.extremail.com
Exploit code attached....
Yours Sincerly.....
mu-b
___________________________________________________________
mu-b (µb) (mu-b@digit-labs.org)
http://www.digit-labs.org
"Like German Tourists, the stupid are everywhere"
-Arnold 'Judas' Rimmer - Red
Dwarf BBC (c)
|
