[hypermail] Hypermail buffer overflows

From: Ulf Harnhammar <ulfh_at_update.uu.se_at_hypermail-project.org>
Date: Mon, 27 Jan 2003 03:02:39 +0100
Message-ID: <20030127020239.GA5137_at_Update.UU.SE>


Hypermail buffer overflows

PROGRAM: Hypermail
HOMEPAGE: http://www.hypermail.org/
SOURCEFORGE PAGE: http://sourceforge.net/projects/hypermail/ VULNERABLE VERSIONS: 2.1.3, 2.1.4, 2.1.5, possibly others IMMUNE VERSIONS: 2.1.6 DESCRIPTION: "Hypermail 2 is a much enhanced version of the popular tool that converts mails into nicely formatted HTML pages. Version 2 has a lot of new features including MIME support. Perfect for archiving mailing lists and similar."

(direct quote from the program's project page at Freshmeat)

SUMMARY: I have found one exploitable buffer overflow in Hypermail's main program, hypermail, and one in Hypermail's CGI program mail. The overflow in hypermail can be exploited by sending e-mails to the program, but it only works if hypermail is configured to use a certain option. The overflow in mail can be exploited by setting up a DNS server with evil data and then surfing to the CGI program in question.

TECHNICAL DETAILS:

  1. hypermail

The main program, hypermail, doesn't like the combination of long attachment filenames (252 characters) and the option progress set to 2. This option gives verbose information about what directories and files are created, which is useful for new Hypermail administrators or people experiencing problems. I've attached a copy of a mailbox that causes this buffer overflow.

How does it work? First the attachname variable in the parsemail function in parse.c is overrun. Then when the function print_progress is called, its bufstr variable is also overrun. As you can see on this session capture, the processor jumps to an address of the attacker's choice, so this is exploitable.

$ cat /etc/redhat-release
Red Hat Linux release 7.3 (Valhalla)
$ uname -a
Linux h130n1flsxxoxxx.telia.com 2.4.18-19.7.x #1 Thu Dec 12 09:00:42 EST 2002 i686 unknown
$ pwd
/home/vsu/secwork/hypermail-2.1.5/src
$ ./hypermail -o progress=2 -m /var/spool/mail/vsu  Creating directory "vsu", mode 755.
Loading mailbox "/var/spool/mail/vsu"...  Creating directory "vsu//att-0000", mode 755.

   0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUU

Segmentation fault
$ rm -rf vsu
$ gdb hypermail
GNU gdb Red Hat Linux (5.2-2)
Copyright 2002 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"... (gdb) r -o progress=2 -m /var/spool/mail/vsu Starting program: /home/vsu/secwork/hypermail-2.1.5/src/hypermail -o progress=2 -m /var/spool/mail/vsu
 Creating directory "vsu", mode 755.
Loading mailbox "/var/spool/mail/vsu"...  Creating directory "vsu//att-0000", mode 755.
   0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU
UUUUUUUUUUUUUUUUUUUUUU

Program received signal SIGSEGV, Segmentation fault. 0x55555555 in ?? ()
(gdb) whe
#0 0x55555555 in ?? ()
Cannot access memory at address 0x55555555 (gdb) i r

eax            0x0      0
ecx            0x0      0
edx            0x0      0
ebx            0x55555555       1431655765
esp            0xbfffe870       0xbfffe870
ebp            0x55555555       0x55555555
esi            0x55555555       1431655765
edi            0x55555555       1431655765
eip            0x55555555       0x55555555
eflags         0x10246  66118
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
fctrl          0x37f    895
fstat          0x0      0
ftag           0xffff   65535
fiseg          0x0      0
fioff          0x0      0
foseg          0x0      0
fooff          0x0      0
fop            0x0      0
xmm0           {f = {0x0, 0x0, 0x0, 0x0}}

{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm1 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm2 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm3 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm4 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm5 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm6 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm7 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
mxcsr 0x1f80 8064 orig_eax 0xffffffff -1

(gdb) q
The program is running. Exit anyway? (y or n) y $

There are also other buffer overruns in the parsemail function, including in the boundbuffer and the filename variables, but they don't seem to be exploitable.

b) mail

The CGI program mail does a reverse look-up of the user's IP number and uses strcpy to copy the resulting host name to a fixed-size buffer of 80 chars. If you set up a DNS server, where your IP number reverses to a host name of 122 chars, this is also exploitable.

As this CGI program allows for any mail to be sent from anyone to anyone, it can also be abused by spammers.

WORKAROUND: Set the option progress to something else than 2. Configure Hypermail not to use the CGI program mail, and then remove the mail program from your cgi-bin directory.

SOLUTION: Upgrade to version 2.1.6, which fixes all the problems mentioned above.

COMMUNICATION WITH VENDOR: The vendor was contacted on the 23rd of January. Version 2.1.6 was released on the 24th of January.

// Ulf Harnhammar, VSU Security, ulfh_at_update.uu.se

   lynx -source http://slashdot.org/ | head -n1 | tr YDC oHl | \    sed -e 'y%PETO% wle%' -e 's% .*$%%' -e 's%L%d.%' -e 's%M%%' \    -e 's% H%or%' -e 's%^..%%'

Received on Mon 27 Jan 2003 04:44:53 PM GMT

This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:54 PM GMT GMT