Perdition IMAP proxy str_vwrite format string vulnerability

SEC-CONSULT Security Advisory < 20071031-0 >

====================================================================================

title: Perdition IMAP proxy str_vwrite format string vulnerability

program: Perdition Mail Retrieval Proxy

vulnerable version: <=1.17

homepage: www.vergenet.net

found: August 2007

by: Bernhard Mueller / SEC Consult

 

====================================================================================

 

Vendor description:

---------------

 

Perdition is a fully featured POP3 and IMAP4 proxy server. It is able to handle both SSL and non-SSL connections and redirect users to a real-server based on a database lookup.

 

 

Vulnerability overview:

---------------

 

Perdition IMAPD is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication.

 

 

Vulnerability details:

---------------

 

1.) In certain situations, the IMAP-Tag (first part of IMAP-command) is copied into a character buffer without validation. This buffer is then ultimately passed to vsnprintf() as a format string.

 

2.) Before the call to vsnprintf, a validation of the format string is performed as a protection against format string injection.

 

From str.c:


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
168: static const char *__str_vwrite(io_t * io, const flag_t flag, 
169: 		const size_t nargs, const char *fmt, va_list ap,
170: 		int *bytes)
171: {
(...)
186: 	fmt_args = 0;
187: 	for (place = 0; fmt[place] != '\0'; place++) {
188: 		if (fmt[place] == '%')
189: 			fmt[place + 1] == '%' ? place++ : fmt_args++;
190: 	}
191: 	if (fmt_args != nargs) {
(...)
195: 		VANESSA_LOGGER_DEBUG_UNSAFE("nargs and fmt mismatch: "
196: 				"%d args requested, %d args in format",
197: 		     		nargs, fmt_args);
198: 		return (NULL);
199: 	}
200: 
201: 	*bytes = vsnprintf(__str_write_buf, STR_WRITE_BUF_LEN - 2, fmt, ap);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

 

 

In line 187-191, the actual number of format identifiers is compared to supposed number given in the parameter nargs. This check can however be bypassed by injecting a null-byte in the end of the IMAP-tag. The null-byte cuts of the rest of the string (with the original format identifiers intended by the programmer). Therefore it is possible to inject 'nargs' arbitrary format identifiers within the IMAP tag.

In practice, only a single format identifier can be controlled by the attacker. This is not very nice to exploit, however arbitrary code execution is still possible. For example, multiple successive single-byte-writes on a global function pointer can be used to gain control of the instruction pointer.

Due to the nature of the vulnerability, a good exploit can bypass most OS security features (non-exec-stack, ASLR, etc.) as well as compiler features (stack canaries,...).

 

 

Proof-of-Concept

----------------

 

SEC Consult has created a working proof-of-concept (code-execution-)exploit, which will not be released to the public at this time.

The following can be used to test for the vulnerability:

 

perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143

 

 

Vulnerable versions:

---------------

 

Perdition IMAPD <= 1.17

 

The vulnerability has been fixed in Perdition v1.17.1. The new tarball and Debian packages can be found at:

 

www.vergenet.net/linux/perdition/download/1.17.1/

www.vergenet.net/linux/perdition/download/latest/

 

 

vendor status:

---------------

vendor notified: 2007-10-12

vendor response: 2007-10-12

patch available: 2007-10-31

 

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Bernhard Müller / www.sec-consult.com /