[max@xxxxxxxxxxxxx: ssmtp vulnerability]: msg#00003

Hi auditors,

another old vulnerability report. It resulted in DSA-485-1.

Cheers,
Max

-- 
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC

----- Forwarded message from Max Vozeler <max@xxxxxxxxxxxxx> -----

From: Max Vozeler <max@xxxxxxxxxxxxx>
To: team@xxxxxxxxxxxxxxxxxxx
Cc: Matt Ryan <mryan@xxxxxxxxxx>
Subject: ssmtp vulnerability
Date: Sun, 11 Apr 2004 18:40:25 +0200
User-Agent: Mutt/1.5.5.1+cvs20040105i

Hi Matt, Hi Security Team,

the logging functions of ssmtp have two format string vulns. Both are
exploitable by a rogue mailhub and apparently exist in all versions of
ssmtp in the archive. The oldest version I checked and found vulnerable
was 2.48.

The first bug is in die():

        void die(char *format, ...)
        {
                char buf[(BUF_SZ + 1)];
                va_list ap;
        
                va_start(ap, format);
                (void)vsnprintf(buf, BUF_SZ, format, ap); 
                va_end(ap);
        
                ..

                /* BUG #1 */
                log_event(LOG_ERR, buf);


        void log_event(int priority, char *format, ...)
        {
                char buf[(BUF_SZ + 1)];
                va_list ap;
        
                va_start(ap, format);
                (void)vsnprintf(buf, BUF_SZ, format, ap);
                va_end(ap);
        
                ...
 
 
die() gets the mailhub response as "user" controllable input:
 

        int smtp_okay(int fd, char *response)
        {
                return((smtp_read(fd, response) == 2) ? 1 : 0);
        }

        int ssmtp(char *argv[])
        {
                ...
                if(smtp_okay(sock, buf) == False) {
                        die("%s (%s)", buf, hostname);
                }


The second bug is a few lines further down in log_event() where it calls
syslog with the entire log string as format string:

        void log_event(int priority, char *format, ...)
        {
                char buf[(BUF_SZ + 1)];
                va_list ap;
        
                va_start(ap, format);
                (void)vsnprintf(buf, BUF_SZ, format, ap);
                va_end(ap);
        
                ...
        
                /* BUG #2 */
                syslog(priority, buf);


I attached a small script 'roguehub' that demonstrates the first bug by
causing a SIGSEGV on connecting ssmtp clients.

Greets
Max

-- 
308E81E7B97963BCA0E6ED889D5BD511B7CDA2DC

#!/bin/sh
cat <<SMTP_SESSION | nc -vlp 25
220 xyz
555 %n%n%n%n%n%n
SMTP_SESSION

diff -ur ssmtp-2.60.4.orig/ssmtp.c ssmtp-2.60.4/ssmtp.c
--- ssmtp-2.60.4.orig/ssmtp.c   2003-08-17 16:18:05.000000000 +0200
+++ ssmtp-2.60.4/ssmtp.c        2004-04-11 16:51:15.000000000 +0200
@@ -121,7 +121,7 @@
 #else
        openlog("sSMTP", LOG_PID, LOG_MAIL);
 #endif
-       syslog(priority, buf);
+       syslog(priority, "%s", buf);
        closelog();
 #endif
 }
@@ -196,7 +196,7 @@
        va_end(ap);
 
        (void)fprintf(stderr, "%s: %s\n", prog, buf);
-       log_event(LOG_ERR, buf);
+       log_event(LOG_ERR, "%s", buf);
 
        /* Send message to dead.letter */
        (void)dead_letter();




----- End forwarded message -----

Previous by Date:	[max@xxxxxxxxxxxxx: libtasn1: vulnerability in DER parsing functions], Max Vozeler
Next by Date:	[max@xxxxxxxxxxxxx: vulnerability in super], Max Vozeler
Previous by Thread:	[max@xxxxxxxxxxxxx: libtasn1: vulnerability in DER parsing functions], Max Vozeler
Next by Thread:	[max@xxxxxxxxxxxxx: vulnerability in super], Max Vozeler
Indexes:	[Date] [Thread] [Top] [All Lists]

<Prev in Thread]	Current Thread	[Next in Thread>