From labs-no-reply@idefense.com Thu Oct 13 13:19:52 2005 From: iDEFENSE Labs To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk Date: Thu, 13 Oct 2005 13:16:12 -0400 Subject: [Full-disclosure] iDEFENSE Security Advisory 10.13.05: Multiple Vendor XMail 'sendmail' Recipient Buffer Overflow Vulnerability Multiple Vendor XMail 'sendmail' Recipient Buffer Overflow Vulnerability iDEFENSE Security Advisory 10.13.05 www.idefense.com/application/poi/display?id=321&type=vulnerabilities October 13, 2005 I. BACKGROUND XMail is an Internet and intranet mail server. XMail sources compile under GNU/Linux, FreeBSD, OpenBSD, NetBSD, OSX, Solaris and NT/2K/XP. More information can be found at the vendor website: http://www.xmailserver.org/ II. DESCRIPTION Local exploitation of a buffer overflow vulnerability in XMail, as distributed with multiple vendors' operating systems, allows local attackers to execute arbitrary code with elevated privileges. The vulnerability exists because of insufficent bounds checking on user-supplied data. Specifically, the AddressFromAtPtr function fails to check bounds on arguments passed from other functions, and as a result an exploitable stack overflow condition occurs when specifying the "-t" command line option. The "-t" command line option allows users to specify the recipient value in the text of the message on a line beginning with "To:". XMail passes the user-supplied value without bounds checking to AdressFromAtPtr and attempts to store the hostname portion of the e-mail address in a 256-byte buffer. Crafted e-mail addresses can overflow the buffer and overwrite stack process control data, resulting in local code execution with elevated privileges. III. ANALYSIS Successful exploitation will result in code execution with elevated privileges. XMail is distributed in RPM, DEB and source format. The RPM distribution installs the sendmail binary with setuid root privileges. Exploitation of XMail installed from RPM will yield root. Other distribution formats install the sendmail binary as setgid mail. Exploitation resulting in group mail privileges will allow an attacker to read all unencrypted mail stored locally in the system mail folders. IV. DETECTION iDEFENSE Labs has confirmed the existence of this vulnerability in XMail 1.21. V. WORKAROUND As a workaround solution, local mail delivery can be restricted and a standard mail user-agent may be used to talk to the XMail SMTP server. VI. VENDOR RESPONSE The vendor has released XMail 1.22 to address this issue which is available for download at: http://www.xmailserver.org/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2943 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 10/12/2005 Initial vendor notification 10/12/2005 Initial vendor response 10/13/2005 Coordinated public disclosure IX. CREDIT The discoverer of this vulnerability wishes to remain anonymous. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright (c) 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/