From downbload@hotmail.com Wed Sep 25 18:25:06 2002 From: DownBload To: bugtraq@securityfocus.com Date: 25 Sep 2002 09:04:32 -0000 Subject: IIL Advisory: Format String bug in Null Webmail (0.6.3) [ Illegal Instruction Labs Advisory ] [-------------------------------------------------------------------------] Advisory name: Format String bug in Null Webmail (0.6.3) Advisory number: 7 Application: Null Webmail 0.6.3 Author: Dan Cahill E-mail: cahill@nulllogic.com Homepage: http://http://www.nulllogic.com/webmail/ Date: 1.07.2002 Impact: I don't know (yet) Tested on: nowhere Discovered by: DownBload Mail me @: downbload@hotmail.com ======[ Overview Null Webmail is CGI interface to SMTP & POP3 server (you can read and send mail with your browser). It is written in C. You can find Null Webmail on sourceforge. ======[ Problem Null Webmail has format string bug in logdata() and wmprintf(), but logdata() is inside /* */, so logdata() isn't interesting to us. Here comes the buggy code: ---[ wmserver.c ... /* void logdata(const char *format, ...) /* <--- NOT INTERESTING */ { char logbuffer[1024]; char file[200]; va_list ap; FILE *fp; #ifdef WIN32 snprintf(file, sizeof(file)-1, "C:\\webmail.log"); #else snprintf(file, sizeof(file)-1, "/tmp/webmail.log"); #endif fp=fopen(file, "a"); if (fp!=NULL) { va_start(ap, format); vsnprintf(logbuffer, sizeof(logbuffer)-1, format, ap); va_end(ap); fprintf(fp, "%s", logbuffer); fclose(fp); } } */ int wmprintf(const char *format, ...) /* <--- INTERESTING FUNCTION */ { char buffer[1024]; va_list ap; va_start(ap, format); vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING va_end(ap); send(wmsocket, buffer, strlen(buffer), 0); // logdata (">> %s", buffer); return 0; } ... ---[ call wmprinf() ... wmprintf("USER %s\r\n", wmusername); ... wmprintf("PASS %s\r\n", wmpassword); ... wmprintf("MAIL From: %s\r\n", ptemp); ... wmprintf("RCPT To: <%s>\r\n", msgaddr); ... wmprintf("From: %s\r\n", wmaddress); wmprintf("To: %s\r\n", msgto); ... wmprintf("Subject: %s\r\n", msgsubject); ... etc. Here we have few wmprintf() calls, and I think that we can put our 'NASTY %sTRING' in all that variables :). ======[ Example Can't test this bug!!! If I'm wrong about this format string bug in Null Webmail, I'm very sorry. ======[ Greetz Greetz goes to #hr.hackers & #linux . Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, Fr1c, phreax, harlequin, LekaMan, Astral and www.active-security.org (NetZero & Paradox). From achurch@achurch.org Wed Sep 25 18:26:15 2002 From: Andrew Church To: downbload@hotmail.com Date: Thu, 26 Sep 2002 01:28:16 JST Subject: Not a bug: IIL Advisory: Format String bug in Null Webmail (0.6.3) As I was severely bitten by this issue lately, this caught my interest, but the "bug" reported in this so-called advisory is in fact not a bug at all. Observe: >int wmprintf(const char *format, ...) /* <--- INTERESTING FUNCTION */ >{ > char buffer[1024]; > va_list ap; > > va_start(ap, format); > vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING This does pass a (potentially) non-constant string as the format string to vsnprintf(), but (at least from the examples provided) wmprintf() is always called with a constant format string, so this isn't a problem. > va_end(ap); > send(wmsocket, buffer, strlen(buffer), 0); If this were a *printf() call, then we'd have problems, but all it's doing is writing the buffer to the socket--no formatting interpretation involved. As an example, let's expand one of the calls, assuming the %s parameter is "NASTY %sTRING": >wmprintf("USER %s\r\n", wmusername); --> wmprintf("USER %s\r\n", "NASTY %sTRING"); >int wmprintf(const char *format, ...) >{ --> format == "USER %s\r\n" > char buffer[1024]; --> buffer == undefined > va_list ap; --> ap == undefined > > va_start(ap, format); --> ap == &"NASTY %sTRING" > vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING --> buffer == "USER NASTY %sTRING\r\n" > va_end(ap); --> ap == undefined > send(wmsocket, buffer, strlen(buffer), 0); --> send(wmsocket, "USER NASTY %sTRING\r\n", 20, 0); >// logdata (">> %s", buffer); --> logdata(">> %s", "USER NASTY %sTRING"); > return 0; >} The author is even careful enough to use logdata("%s",buffer) instead of logdata(buffer), which is the careless mistake I made and had pointed out to me. Nothing to see here, move along. >======[ Example > >Can't test this bug!!! >If I'm wrong about this format string bug in Null Webmail, I'm very sorry. --Andrew Church achurch@achurch.org http://achurch.org/