('binary' encoding is not supported, stored as-is)
Bug: format string and buffer overflow (sybase)
Product: vpopmail <= 5.4.2 (sybase vulnerability)
Author: Werro [werro_at_list.ru]
Realease Date : 12/08/04
Risk: Low
Vendor status: Vendor is in a big shit :)
Reference:
http://web-hack.ru/unl0ck/advisories/
Overview:
vpopmail is a set of programs for creating and managing
multiple virtual domains on a qmail server.
Details:
Bugs were founded in SyBase. In vsybase.c file.
-------------------\
char dirbuf[156]; \__Vulnerability___________________________________________________
... |
if ( strlen(dir) > 0 ) |
{ |
sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user); |
^^^^^^^ - buffer overflow |
}else{ |
sprintf(dirbuf, "%s/%s", dom_dir, user); |
^^^^^^^ - buffer overflow |
} |
... |
|
if ( site_size == LARGE_SITE ) { |
sprintf( SqlBuf, LARGE_INSERT, domstr, |
user, pass, pop, gecos, dirbuf, quota); |
^^^^^^^ - format string |
} else { |
sprintf( SqlBuf, SMALL_INSERT, |
SYBASE_DEFAULT_TABLE, user, domain, pass, pop, gecos, dirbuf, quota); |
} ^^^^^^^ - format string ______________________________________________|
----------------------------------------/
Two vulnerability : format string and buffer overflow.
Latest Version is Vulnerable.
To avoid this bugs, you must use snprintf() with format like "%s".
12/08/04.
(c) by unl0ck team.
http://web-hack.ru/unl0ck
Received on Aug 17 2004
Intro
