Thursday, November 01, 2007

[UNIX] Perdition IMAP Proxy str_vwrite Format String Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Perdition IMAP Proxy str_vwrite Format String Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.vergenet.net/> Perdition is "a fully featured POP3 and IMAP4
proxy server. It is able to handle both SSL and non-SSL connections and
redirect users to a real-server based on a database lookup". Perdition
IMAPD is affected by a format string bug in one of its IMAP output-string
formatting functions. The bug allows the execution of arbitrary code on
the affected server. A successful exploit does not require prior
authentication.

DETAILS

Vulnerable Systems:
* Perdition Mail Retrieval Proxy version 1.17 and prior

Immune Systems:
* Perdition Mail Retrieval Proxy version 1.17.1

Vulnerability details:
1.) In certain situations, the IMAP-Tag (first part of IMAP-command) is
copied into a character buffer without validation. This buffer is then
ultimately passed to vsnprintf() as a format string.

2.) Before the call to vsnprintf, a validation of the format string is
performed as a protection against format string injection.

>From str.c:
++++++++++++++++++++++++++++++++++++
168: static const char *__str_vwrite(io_t * io, const flag_t flag,
169: const size_t nargs, const char *fmt, va_list ap,
170: int *bytes)
171: {
(...)
186: fmt_args = 0;
187: for (place = 0; fmt[place] != '\0'; place++) {
188: if (fmt[place] == '%')
189: fmt[place + 1] == '%' ? place++ : fmt_args++;
190: }
191: if (fmt_args != nargs) {
(...)
195: VANESSA_LOGGER_DEBUG_UNSAFE("nargs and fmt mismatch: "
196: "%d args requested, %d args in format",
197: nargs, fmt_args);
198: return (NULL);
199: }
200:
201: *bytes = vsnprintf(__str_write_buf, STR_WRITE_BUF_LEN - 2, fmt,
ap);
++++++++++++++++++++++++++++++++++++

In line 187-191, the actual number of format identifiers is compared to
supposed number given in the parameter nargs. This check can however be
bypassed by injecting a null-byte in the end of the IMAP-tag. The
null-byte cuts of the rest of the string (with the original format
identifiers intended by the programmer). Therefore it is possible to
inject 'nargs' arbitrary format identifiers within the IMAP tag. In
practice, only a single format identifier can be controlled by the
attacker. This is not very nice to exploit, however arbitrary code
execution is still possible. For example, multiple successive
single-byte-writes on a global function pointer can be used to gain
control of the instruction pointer. Due to the nature of the
vulnerability, a good exploit can bypass most OS security features
(non-exec-stack, ASLR, etc.) as well as compiler features (stack
canaries,...).

Proof-of-Concept
The following can be used to test for the vulnerability:
perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143

Vendor status:
Vendor notified: 2007-10-12
Vendor response: 2007-10-12
Patch available: 2007-10-31


ADDITIONAL INFORMATION

The information has been provided by <mailto:research@sec-consult.com>
Bernhard Mueller.
The original article can be found at:
<http://www.sec-consult.com/300.html> http://www.sec-consult.com/300.html

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment