Perdition IMAP Proxy str_vwrite Format String Vulnerability
1 Nov. 2007
Summary
Perdition is "a fully featured POP3 and IMAP4 proxy server. It is able to handle both SSL and non-SSL connections and redirect users to a real-server based on a database lookup". Perdition IMAPD is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication.
Vulnerable Systems:
* Perdition Mail Retrieval Proxy version 1.17 and prior
Immune Systems:
* Perdition Mail Retrieval Proxy version 1.17.1
Vulnerability details:
1.) In certain situations, the IMAP-Tag (first part of IMAP-command) is copied into a character buffer without validation. This buffer is then ultimately passed to vsnprintf() as a format string.
2.) Before the call to vsnprintf, a validation of the format string is performed as a protection against format string injection.
In line 187-191, the actual number of format identifiers is compared to supposed number given in the parameter nargs. This check can however be bypassed by injecting a null-byte in the end of the IMAP-tag. The null-byte cuts of the rest of the string (with the original format identifiers intended by the programmer). Therefore it is possible to inject 'nargs' arbitrary format identifiers within the IMAP tag. In practice, only a single format identifier can be controlled by the attacker. This is not very nice to exploit, however arbitrary code execution is still possible. For example, multiple successive single-byte-writes on a global function pointer can be used to gain control of the instruction pointer. Due to the nature of the vulnerability, a good exploit can bypass most OS security features (non-exec-stack, ASLR, etc.) as well as compiler features (stack canaries,...).
Proof-of-Concept
The following can be used to test for the vulnerability: perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143
