"XMail is an Internet and Intranet mail server featuring an SMTP server, POP3 server, finger server and multiple domains."
Local exploitation of a buffer overflow vulnerability in XMail, as distributed with multiple vendors' operating systems, allows local attackers to execute arbitrary code with elevated privileges.
The vulnerability exists because of insufficient bounds checking on user-supplied data. Specifically, the AddressFromAtPtr function fails to check bounds on arguments passed from other functions, and as a result an exploitable stack overflow condition occurs when specifying the "-t" command line option. The "-t" command line option allows users to specify the recipient value in the text of the message on a line beginning with "To:". XMail passes the user-supplied value without bounds checking to AdressFromAtPtr and attempts to store the hostname portion of the e-mail address in a 256-byte buffer. Crafted e-mail addresses can overflow the buffer and overwrite stack process control data, resulting in local code execution with elevated privileges.
Successful exploitation will result in code execution with elevated privileges. XMail is distributed in RPM, DEB and source format. The RPM distribution installs the sendmail binary with setuid root privileges.
Exploitation of XMail installed from RPM will yield root. Other distribution formats install the sendmail binary as setgid mail.
Exploitation resulting in group mail privileges will allow an attacker to read all unencrypted mail stored locally in the system mail folders.
Vendor Status:
The vendor has released XMail 1.22 to address this issue which is available for download at: http://www.xmailserver.org/
