Date: Sat, 22 Jan 2000 16:04:51 -0800
From: "what's your style?" <[email protected]>
To: [email protected]Subject: remote root qmail-pop with vpopmail advisory and exploit with patch
w00w00 Security Advisory - http://www.w00w00.org/
Title: qmail-pop3d with vpopmail/vchkpw
Platforms: Any
Discovered: 7th January, 2000
Local: Yes.
Remote: Yes.
Author: K2 <[email protected]>
Vendor Status: Notified.
Last Updated: N/A
1. Overview
qmail-pop3d may pass an overly long command argument to it's password
authentication service. When vpopmail is used to authenticate user
information a remote attacker may compromise the privilege level that
vpopmail is running, naturally root.
2. Background
It is Qmail's nonconformance to the pop3 specification that allows
this bug to manifest itself. qmail-pop3d trust's that it's checkpassword
mechanism will support the same undocumented "features" as it dose, it
is this extra functionality that breaks vpopmail and RFC1939.
>From RFC1939 [Post Office Protocol - Version 3]
--------------------------------------------------------
Commands in the POP3 consist of a caseinsensitive keyword, possibly
followed by one or more arguments. All commands are terminated by a
CRLF pair. Keywords and arguments consist of printable ASCII
characters. Keywords and arguments are each separated by a single
SPACE character. Keywords are three or four characters long. Each
argument may be up to 40 characters long.
--------------------------------------------------------
>From BLURB3 (qmail-1.03)
--------------------------------------------------------
POP3 service (qmail-popup, qmail-pop3d):
* RFC 1939
* UIDL support
* TOP support
* APOP hook
* modular password checking (checkpassword, available separately)
--------------------------------------------------------
3. Issue
qmail-pop3d claims compliance to RFC1939, however this is not the case
qmail breaks that compliance by allowing overly long argument lengths
to be processed. qmail then passes control to a process without
documenting this added bug/feature.
4. Impact
A remote attacker may attain the privilege level of the authentication
module.
Sample exploit code can be found at http://www.ktwo.ca/security.html
5. Recommendation
Impose the 40 character limitation specified by RFC1939 into qmail.
Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch
6. References
RFC1939
qmail-1.03/BLURB3
--------------------------------------------------------
K2
www.ktwo.ca / [email protected]
