Bug: format string and buffer overflow (sybase) Product: vpopmail <= 5.4.2 (sybase vulnerability) Author: Werro [werro@xxxxxxx] Realease Date : 12/08/04 Risk: Low Vendor status: Vendor is in a big shit :) Reference: http://web-hack.ru/unl0ck/advisories/ Overview: vpopmail is a set of programs for creating and managing multiple virtual domains on a qmail server. Details: Bugs were founded in SyBase. In vsybase.c file. -------------------\ char dirbuf[156]; \__Vulnerability___________________________________________________ ... | if ( strlen(dir) > 0 ) | { | sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user); | ^^^^^^^ - buffer overflow | }else{ | sprintf(dirbuf, "%s/%s", dom_dir, user); | ^^^^^^^ - buffer overflow | } | ... | | if ( site_size == LARGE_SITE ) { | sprintf( SqlBuf, LARGE_INSERT, domstr, | user, pass, pop, gecos, dirbuf, quota); | ^^^^^^^ - format string | } else { | sprintf( SqlBuf, SMALL_INSERT, | SYBASE_DEFAULT_TABLE, user, domain, pass, pop, gecos, dirbuf, quota); | } ^^^^^^^ - format string ______________________________________________| ----------------------------------------/ Two vulnerability : format string and buffer overflow. Latest Version is Vulnerable. To avoid this bugs, you must use snprintf() with format like "%s". 12/08/04. (c) by unl0ck team. http://web-hack.ru/unl0ck
