|
Brought to you by:
Suppliers of:
|
|
|
| |
| Vpopmail and QmailAdmin are prone to several Integer Overflows due to numeric types of more range that are needed to store user's quota. Using an integer is not enough because it will overflow when the user has more than 2 Gigabytes in their mailbox. Furthermore a long integer isn't a good solution because a long integer has the same range as an integer in 32-bits machines. |
| |
Credit:
The information has been provided by Jacobo Avariento Gimeno.
The original article can be found at: http://www.sofistic.net/advisories/0901
|
| |
Vulnerable Systems:
* Vpopmail version 5.50
* QmailAdmin version 1.2.12
There are several functions/files to fix in vpopmail and qmailadmin:
* vpopmail-5.5.0: quota.c, function quota_percent
* vpopmail-5.5.0: vuserinfo.c, function display_user
* qmailadmin-1.2.12: function quota_to_megabytes
* qmailadmin-1.2.12: function maildirquota.c, wrapreaduserquota, readdomainquota, readuserquota
Proof of Concept:
Just try to set more than 2GB quota to a user ("./vsetuserquota user@domain $((3*1024*1024*1024))") and see with ("./vuserinfo user@domain") that the user's quota usage is always 100%, or with qmailadmin the quota never grows, gets stalled at 2048 MB. Put more than 2 GB of data in a mailbox and see that the quota overflows, i.e. -1114.49 / unlimited.
Patch Availability:
There are no official patches yet, all the sysadmins that use vpopmail/qmailadmin should be aware of this because vendor has given no date to release a new version or patch.
To fix that, no "int" neither "long" neither "off_t" should be used, using a "long long int" the problem is just fixed until the near future. Also, casting is not a solution when the variable was already overflowed as in newest version (vpopmail 5.5.0: maildirquota.c line 294).
Disclosure Timeline:
* 20/Apr/2009: Vendor is first notified.
* 20/Apr/2009: Vendor responds that issues was fixed in 5.5 branch.
* 23/Apr/2009: Vendor is notified again that the problem was not fixed.
* 23/Apr/2009: Vendor responds that there is no qmailadmin version compatible with 5.5 branch yet.
* 29/Apr/2009: Vendor is asked when they are planning to release patch or new version and no response was received.
* 8/May/2009: Public Disclosure of the vulnerability.
|
|
|
|
|
