Hypermail buffer overflows
PROGRAM: Hypermail
HOMEPAGE: http://www.hypermail.org/
SOURCEFORGE PAGE: http://sourceforge.net/projects/hypermail/
VULNERABLE VERSIONS: 2.1.3, 2.1.4, 2.1.5, possibly others
IMMUNE VERSIONS: 2.1.6
DESCRIPTION:
"Hypermail 2 is a much enhanced version of the popular tool that
converts mails into nicely formatted HTML pages. Version 2 has a
lot of new features including MIME support. Perfect for archiving
mailing lists and similar."
(direct quote from the program's project page at Freshmeat)
SUMMARY: I have found one exploitable buffer overflow in Hypermail's main program, hypermail, and one in Hypermail's CGI program mail. The overflow in hypermail can be exploited by sending e-mails to the program, but it only works if hypermail is configured to use a certain option. The overflow in mail can be exploited by setting up a DNS server with evil data and then surfing to the CGI program in question.
TECHNICAL DETAILS:
The main program, hypermail, doesn't like the combination of long attachment filenames (252 characters) and the option progress set to 2. This option gives verbose information about what directories and files are created, which is useful for new Hypermail administrators or people experiencing problems. I've attached a copy of a mailbox that causes this buffer overflow.
How does it work? First the attachname variable in the parsemail function in parse.c is overrun. Then when the function print_progress is called, its bufstr variable is also overrun. As you can see on this session capture, the processor jumps to an address of the attacker's choice, so this is exploitable.
$ cat /etc/redhat-release
Red Hat Linux release 7.3 (Valhalla)
$ uname -a
Linux h130n1flsxxoxxx.telia.com 2.4.18-19.7.x #1 Thu Dec 12 09:00:42
EST 2002 i686 unknown
$ pwd
/home/vsu/secwork/hypermail-2.1.5/src
$ ./hypermail -o progress=2 -m /var/spool/mail/vsu
Creating directory "vsu", mode 755.
Loading mailbox "/var/spool/mail/vsu"...
Creating directory "vsu//att-0000", mode 755.
0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUU
0 Created attachment file vsu//att-0000/01-UUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUUU UUUUUUUUUUUUUUUUUUUUUU
Program received signal SIGSEGV, Segmentation fault.
0x55555555 in ?? ()
(gdb) whe
#0 0x55555555 in ?? ()
Cannot access memory at address 0x55555555
(gdb) i r
eax 0x0 0
ecx 0x0 0
edx 0x0 0
ebx 0x55555555 1431655765
esp 0xbfffe870 0xbfffe870
ebp 0x55555555 0x55555555
esi 0x55555555 1431655765
edi 0x55555555 1431655765
eip 0x55555555 0x55555555
eflags 0x10246 66118
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
fctrl 0x37f 895
fstat 0x0 0
ftag 0xffff 65535
fiseg 0x0 0
fioff 0x0 0
foseg 0x0 0
fooff 0x0 0
fop 0x0 0
xmm0 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm1 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm2 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm3 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm4 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm5 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm6 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
xmm7 {f = {0x0, 0x0, 0x0, 0x0}}
{f = {-nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff), -nan(0x7fffff)}}
mxcsr 0x1f80 8064
orig_eax 0xffffffff -1
There are also other buffer overruns in the parsemail function, including in the boundbuffer and the filename variables, but they don't seem to be exploitable.
b) mail
The CGI program mail does a reverse look-up of the user's IP number and uses strcpy to copy the resulting host name to a fixed-size buffer of 80 chars. If you set up a DNS server, where your IP number reverses to a host name of 122 chars, this is also exploitable.
As this CGI program allows for any mail to be sent from anyone to anyone, it can also be abused by spammers.
WORKAROUND: Set the option progress to something else than 2. Configure Hypermail not to use the CGI program mail, and then remove the mail program from your cgi-bin directory.
SOLUTION: Upgrade to version 2.1.6, which fixes all the problems mentioned above.
COMMUNICATION WITH VENDOR: The vendor was contacted on the 23rd of January. Version 2.1.6 was released on the 24th of January.
// Ulf Harnhammar, VSU Security, ulfh_at_update.uu.se
lynx -source http://slashdot.org/ | head -n1 | tr YDC oHl | \ sed -e 'y%PETO% wle%' -e 's% .*$%%' -e 's%L%d.%' -e 's%M%%' \ -e 's% H%or%' -e 's%^..%%'
This archive was generated by hypermail 2.2.0 : Thu 22 Feb 2007 07:33:54 PM GMT GMT