C dubits on a post at bugtraq

[RSoIsCaIrLiIoA]

while i read bugtraq i see this post:

Mailing-List: contact (e-mail address removed); run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]>
List-Unsubscribe: <mailto:[email protected]>
List-Subscribe: <mailto:[email protected]>
Date: 27 Apr 2006 08:24:25 -0000
Message-ID: <[email protected]>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: (e-mail address removed)
Subject: BL4's SMTP server BufferOverflow Vulnerable
Organization: Newsgate at muc.de e.V.
Newsgroups: muc.lists.bugtraq
Path: reader4.news.tin.it!spool.news.tin.it!feeder.news.tin.it!82.182.32.53.MISMATCH!usenet.ath.cx!news.ispa.de!newsfeed.freenet.de!ecngs!feeder2.ecngs.de!news.osn.de!diablo2.news.osn.de!news.belwue.de!news-peer.in.tum.de!news.muc.de!newsgate.muc.de!not-for-mail
Approved: (e-mail address removed)
X-Newsgate-CVS-Id: $Id: newsgate.pl,v 1.9 2003/07/21 20:04:07 ag Exp ag $
Distribution: world
Lines: 138
Xref: reader4.news.tin.it muc.lists.bugtraq:12117

---------------------------------------------------------------------------
[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable
---------------------------------------------------------------------------

Author : Dedi Dwianto
Date : April, 27th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : BL4's SMTP server
version : < 0.1.5
URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0
Description :

BL4's SMTP server is an inbound only SMTP server.
It currently uses hardcoded values for handling email.
The SMTP server puts the incoming email into various text files.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
BL4's SMTP server is to a flaw that can allow remote attacker to
cause a denial of service or a attacker can Execution of Arbitrary Code.
The vulnerability is due to a buffer overflow in the SMTP service.
A remote attacker can repeatedly send more that 2100 bytes as the
argument to the HELO, MAIL FROM, and RCPT TO commands
to crash the server.

------------------think.c-----------------------------------
...........
{
slaveEmail[x]->isData = 0;
slaveEmail[x]->emailFrom = 0;
slaveEmail[x]->emailTo = 0;
free(buffer);
buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n");
return buffer;
}
free(buffer);
.............
slaveEmail[x]->EHLO = buffer;
slaveEmail[x]->EHLOtrue = 1;

buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n");
return buffer;
-----------------------------------------------------------
--
sprintf(buffer, "250 OK\r\n");
--
Vulnerable for format strings.

if buffer!=0 where are or what are here "Vulnerable for format
strings"
if buffer==0 this should segfault or write nothing

--
free(buffer);
buffer = malloc(sizeof(char) * 12);
--
Vulnerable for buffer overflow.

same here

A attacker can create Arbitrary Code here .

i don't understand how can execute "Arbitrary Code"

 

[jacob navia]

RSoIsCaIrLiIoA a écrit :

while i read bugtraq i see this post:

Mailing-List: contact (e-mail address removed); run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]>
List-Unsubscribe: <mailto:[email protected]>
List-Subscribe: <mailto:[email protected]>
Date: 27 Apr 2006 08:24:25 -0000
Message-ID: <[email protected]>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: (e-mail address removed)
Subject: BL4's SMTP server BufferOverflow Vulnerable
Organization: Newsgate at muc.de e.V.
Newsgroups: muc.lists.bugtraq
Path: reader4.news.tin.it!spool.news.tin.it!feeder.news.tin.it!82.182.32.53.MISMATCH!usenet.ath.cx!news.ispa.de!newsfeed.freenet.de!ecngs!feeder2.ecngs.de!news.osn.de!diablo2.news.osn.de!news.belwue.de!news-peer.in.tum.de!news.muc.de!newsgate.muc.de!not-for-mail
Approved: (e-mail address removed)
X-Newsgate-CVS-Id: $Id: newsgate.pl,v 1.9 2003/07/21 20:04:07 ag Exp ag $
Distribution: world
Lines: 138
Xref: reader4.news.tin.it muc.lists.bugtraq:12117

---------------------------------------------------------------------------
[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable
---------------------------------------------------------------------------

Author : Dedi Dwianto
Date : April, 27th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : BL4's SMTP server
version : < 0.1.5
URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0
Description :

BL4's SMTP server is an inbound only SMTP server.
It currently uses hardcoded values for handling email.
The SMTP server puts the incoming email into various text files.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
BL4's SMTP server is to a flaw that can allow remote attacker to
cause a denial of service or a attacker can Execution of Arbitrary Code.
The vulnerability is due to a buffer overflow in the SMTP service.
A remote attacker can repeatedly send more that 2100 bytes as the
argument to the HELO, MAIL FROM, and RCPT TO commands
to crash the server.

------------------think.c-----------------------------------
...........
{
slaveEmail[x]->isData = 0;
slaveEmail[x]->emailFrom = 0;
slaveEmail[x]->emailTo = 0;
free(buffer);
buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n");
return buffer;
}
free(buffer);
.............
slaveEmail[x]->EHLO = buffer;
slaveEmail[x]->EHLOtrue = 1;

buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n");
return buffer;
-----------------------------------------------------------
--
sprintf(buffer, "250 OK\r\n");
--
Vulnerable for format strings.

if buffer!=0 where are or what are here "Vulnerable for format
strings"
if buffer==0 this should segfault or write nothing

--
free(buffer);
buffer = malloc(sizeof(char) * 12);
--
Vulnerable for buffer overflow.

same here

A attacker can create Arbitrary Code here .

i don't understand how can execute "Arbitrary Code"

Are you sure that that is the code that is in question?

I do not see any buffer overflow either

 

[void * clvrmnky()]

while i read bugtraq i see this post:

Mailing-List: contact (e-mail address removed); run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]>
List-Unsubscribe: <mailto:[email protected]>
List-Subscribe: <mailto:[email protected]>
Date: 27 Apr 2006 08:24:25 -0000
Message-ID: <[email protected]>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: (e-mail address removed)
Subject: BL4's SMTP server BufferOverflow Vulnerable
Organization: Newsgate at muc.de e.V.
Newsgroups: muc.lists.bugtraq
Path: reader4.news.tin.it!spool.news.tin.it!feeder.news.tin.it!82.182.32.53.MISMATCH!usenet.ath.cx!news.ispa.de!newsfeed.freenet.de!ecngs!feeder2.ecngs.de!news.osn.de!diablo2.news.osn.de!news.belwue.de!news-peer.in.tum.de!news.muc.de!newsgate.muc.de!not-for-mail
Approved: (e-mail address removed)
X-Newsgate-CVS-Id: $Id: newsgate.pl,v 1.9 2003/07/21 20:04:07 ag Exp ag $
Distribution: world
Lines: 138
Xref: reader4.news.tin.it muc.lists.bugtraq:12117

---------------------------------------------------------------------------
[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable
---------------------------------------------------------------------------

Author : Dedi Dwianto
Date : April, 27th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : BL4's SMTP server
version : < 0.1.5
URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0
Description :

BL4's SMTP server is an inbound only SMTP server.
It currently uses hardcoded values for handling email.
The SMTP server puts the incoming email into various text files.

---------------------------------------------------------------------------

Vulnerability:
~~~~~~~~~~~~~~~~
BL4's SMTP server is to a flaw that can allow remote attacker to
cause a denial of service or a attacker can Execution of Arbitrary Code.
The vulnerability is due to a buffer overflow in the SMTP service.
A remote attacker can repeatedly send more that 2100 bytes as the
argument to the HELO, MAIL FROM, and RCPT TO commands
to crash the server.

------------------think.c-----------------------------------
...........
{
slaveEmail[x]->isData = 0;
slaveEmail[x]->emailFrom = 0;
slaveEmail[x]->emailTo = 0;
free(buffer);
buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n");
return buffer;
}
free(buffer);
.............
slaveEmail[x]->EHLO = buffer;
slaveEmail[x]->EHLOtrue = 1;

buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n");
return buffer;
-----------------------------------------------------------
--
sprintf(buffer, "250 OK\r\n");
--
Vulnerable for format strings.

if buffer!=0 where are or what are here "Vulnerable for format
strings"
if buffer==0 this should segfault or write nothing

Not necessarily. If the attacker can form just the right size string
containing the right chars, it is possible to write bytes beyond the
buffer into some other memory. It depends on the platform, and runtime
environment how exactly such a program will behave.

same here


i don't understand how can execute "Arbitrary Code"

Without looking too close, it appears this is a reference typical stack
smashing attacks. Overwrite a buffer with the right variety and number
of bytes and you can execute that data as "arbitrary code".

Now, I'm no expert on black-hat hacking, but my understanding is that it
is typical when reviewing code for security holes that one looks long
and hard at naive uses of sprintf(), strcpy() and friends.

 

[jacob navia]

void * clvrmnky() a écrit :

while i read bugtraq i see this post:

Mailing-List: contact (e-mail address removed); run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]>
List-Unsubscribe: <mailto:[email protected]>
List-Subscribe: <mailto:[email protected]>
Date: 27 Apr 2006 08:24:25 -0000
Message-ID: <[email protected]>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: (e-mail address removed)
Subject: BL4's SMTP server BufferOverflow Vulnerable
Organization: Newsgate at muc.de e.V.
Newsgroups: muc.lists.bugtraq
Path:
reader4.news.tin.it!spool.news.tin.it!feeder.news.tin.it!82.182.32.53.MISMATCH!usenet.ath.cx!news.ispa.de!newsfeed.freenet.de!ecngs!feeder2.ecngs.de!news.osn.de!diablo2.news.osn.de!news.belwue.de!news-peer.in.tum.de!news.muc.de!newsgate.muc.de!not-for-mail

Approved: (e-mail address removed)
X-Newsgate-CVS-Id: $Id: newsgate.pl,v 1.9 2003/07/21 20:04:07 ag Exp
ag $
Distribution: world
Lines: 138
Xref: reader4.news.tin.it muc.lists.bugtraq:12117

---------------------------------------------------------------------------

[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable
---------------------------------------------------------------------------


Author : Dedi Dwianto
Date : April, 27th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : BL4's SMTP server
version : < 0.1.5
URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0
Description :

BL4's SMTP server is an inbound only SMTP server.
It currently uses hardcoded values for handling email. The SMTP
server puts the incoming email into various text files.

---------------------------------------------------------------------------


Vulnerability:
~~~~~~~~~~~~~~~~
BL4's SMTP server is to a flaw that can allow remote attacker to
cause a denial of service or a attacker can Execution of Arbitrary Code.
The vulnerability is due to a buffer overflow in the SMTP service. A
remote attacker can repeatedly send more that 2100 bytes as the
argument to the HELO, MAIL FROM, and RCPT TO commands to crash the
server.

------------------think.c-----------------------------------
...........
{
slaveEmail[x]->isData = 0;
slaveEmail[x]->emailFrom = 0;
slaveEmail[x]->emailTo = 0;
free(buffer);
buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n");
return buffer;
}
free(buffer);
.............
slaveEmail[x]->EHLO = buffer;
slaveEmail[x]->EHLOtrue = 1;

buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n"); return
buffer;
-----------------------------------------------------------

if buffer!=0 where are or what are here "Vulnerable for format
strings"
if buffer==0 this should segfault or write nothing

Not necessarily. If the attacker can form just the right size string
containing the right chars, it is possible to write bytes beyond the
buffer into some other memory. It depends on the platform, and runtime
environment how exactly such a program will behave.

same here



i don't understand how can execute "Arbitrary Code"

Without looking too close, it appears this is a reference typical stack
smashing attacks. Overwrite a buffer with the right variety and number
of bytes and you can execute that data as "arbitrary code".

Now, I'm no expert on black-hat hacking, but my understanding is that it
is typical when reviewing code for security holes that one looks long
and hard at naive uses of sprintf(), strcpy() and friends.
BUT

That can never overflow!

There are no % directives in that sprintf call, so it is the same as an
strcpy(buffer,"250 OK\r\n"); The character string has 8 positions, 9
with the terminating zero. That fits easily into 12 bytes.

Now, if the malloc fails, that should provoke UB maybe a trap. But
writing to the address zero is a well known stuff, unlikely to be of any
use to a hacker.

 

[void * clvrmnky()]

while i read bugtraq i see this post:

Mailing-List: contact (e-mail address removed); run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:[email protected]>
List-Help: <mailto:[email protected]>
List-Unsubscribe: <mailto:[email protected]>
List-Subscribe: <mailto:[email protected]>
Date: 27 Apr 2006 08:24:25 -0000
Message-ID: <[email protected]>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: (e-mail address removed)
Subject: BL4's SMTP server BufferOverflow Vulnerable
Organization: Newsgate at muc.de e.V.
Newsgroups: muc.lists.bugtraq
Path:
reader4.news.tin.it!spool.news.tin.it!feeder.news.tin.it!82.182.32.53.MISMATCH!usenet.ath.cx!news.ispa.de!newsfeed.freenet.de!ecngs!feeder2.ecngs.de!news.osn.de!diablo2.news.osn.de!news.belwue.de!news-peer.in.tum.de!news.muc.de!newsgate.muc.de!not-for-mail

Approved: (e-mail address removed)
X-Newsgate-CVS-Id: $Id: newsgate.pl,v 1.9 2003/07/21 20:04:07 ag Exp
ag $
Distribution: world
Lines: 138
Xref: reader4.news.tin.it muc.lists.bugtraq:12117

---------------------------------------------------------------------------

[ECHO_ADV_30$2006] BL4's SMTP server BufferOverflow Vulnerable
---------------------------------------------------------------------------


Author : Dedi Dwianto
Date : April, 27th 2006
Location : Indonesia, Jakarta
Web : http://advisories.echo.or.id/adv/adv30-theday-2006.txt
Critical Lvl : High
---------------------------------------------------------------------------


Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Application : BL4's SMTP server
version : < 0.1.5
URL : http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0
Description :

BL4's SMTP server is an inbound only SMTP server.
It currently uses hardcoded values for handling email. The SMTP
server puts the incoming email into various text files.

---------------------------------------------------------------------------


Vulnerability:
~~~~~~~~~~~~~~~~
BL4's SMTP server is to a flaw that can allow remote attacker to
cause a denial of service or a attacker can Execution of Arbitrary Code.
The vulnerability is due to a buffer overflow in the SMTP service. A
remote attacker can repeatedly send more that 2100 bytes as the
argument to the HELO, MAIL FROM, and RCPT TO commands to crash the
server.

------------------think.c-----------------------------------
...........
{
slaveEmail[x]->isData = 0;
slaveEmail[x]->emailFrom = 0;
slaveEmail[x]->emailTo = 0;
free(buffer);
buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n");
return buffer;
}
free(buffer);
.............
slaveEmail[x]->EHLO = buffer;
slaveEmail[x]->EHLOtrue = 1;

buffer = malloc(sizeof(char) * 12);
sprintf(buffer, "250 OK\r\n"); return
buffer;
-----------------------------------------------------------

if buffer!=0 where are or what are here "Vulnerable for format
strings"
if buffer==0 this should segfault or write nothing

Not necessarily. If the attacker can form just the right size string
containing the right chars, it is possible to write bytes beyond the
buffer into some other memory. It depends on the platform, and runtime
environment how exactly such a program will behave.

same here


i don't understand how can execute "Arbitrary Code"

Without looking too close, it appears this is a reference typical stack
smashing attacks. Overwrite a buffer with the right variety and number
of bytes and you can execute that data as "arbitrary code".

Now, I'm no expert on black-hat hacking, but my understanding is that it
is typical when reviewing code for security holes that one looks long
and hard at naive uses of sprintf(), strcpy() and friends.

.... and of course, upon closer inspection of this code snippet I see no
obvious ways of leveraging these particular naive uses of sprintf() to
do so.

Nothing to see here. Move along.