IIL Advisory: Format String bug in Null Webmail (0.6.3)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




                 [ Illegal Instruction Labs Advisory ]
[-------------------------------------------------------------------------]
Advisory name: Format String bug in Null Webmail (0.6.3)
Advisory number: 7
Application: Null Webmail 0.6.3
Author: Dan Cahill
E-mail: cahill@nulllogic.com
Homepage: http://http://www.nulllogic.com/webmail/
Date: 1.07.2002
Impact: I don't know (yet)
Tested on: nowhere
Discovered by: DownBload						
Mail me @: downbload@hotmail.com	




======[ Overview 	

Null Webmail is CGI interface to SMTP & POP3 server (you can read and 
send mail with your browser). It is written in C. You can find Null 
Webmail on sourceforge.




======[ Problem  	

Null Webmail has format string bug in logdata() and wmprintf(), but
logdata() is inside /* */, so logdata() isn't interesting to us. 

Here comes the buggy code:

---[ wmserver.c
...
/*
void logdata(const char *format, ...)  /* <--- NOT INTERESTING */
{
	char logbuffer[1024];
	char file[200];
	va_list ap;
	FILE *fp;

#ifdef WIN32
	snprintf(file, sizeof(file)-1, "C:\\webmail.log");
#else
	snprintf(file, sizeof(file)-1, "/tmp/webmail.log");
#endif
	fp=fopen(file, "a");
	if (fp!=NULL) {
		va_start(ap, format);
		vsnprintf(logbuffer, sizeof(logbuffer)-1, format, ap);
		va_end(ap);
		fprintf(fp, "%s", logbuffer);
		fclose(fp);
	}
}
*/


int wmprintf(const char *format, ...)    /* <--- INTERESTING FUNCTION */
{
	char buffer[1024];
	va_list ap;

	va_start(ap, format);
	vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING 
	va_end(ap);			
	send(wmsocket, buffer, strlen(buffer), 0);
//	logdata (">> %s", buffer);
	return 0;
}
...

---[ call wmprinf() 

...
wmprintf("USER %s\r\n", wmusername);
...
wmprintf("PASS %s\r\n", wmpassword);
...
wmprintf("MAIL From: %s\r\n", ptemp);  
...
wmprintf("RCPT To: <%s>\r\n", msgaddr);
...
wmprintf("From: %s\r\n", wmaddress);
wmprintf("To: %s\r\n", msgto);
...
wmprintf("Subject: %s\r\n", msgsubject);
...
etc.

Here we have few wmprintf() calls, and I think that we can put our 
'NASTY %sTRING' in all that variables :).




======[ Example

Can't test this bug!!!
If I'm wrong about this format string bug in Null Webmail, I'm very sorry.




======[ Greetz 

Greetz goes to #hr.hackers & #linux <irc.carnet.hr>. 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, Fr1c,
phreax, harlequin, LekaMan, Astral and www.active-security.org (NetZero & 
Paradox).
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux