Not a bug: IIL Advisory: Format String bug in Null Webmail (0.6.3)

2002-09-25 Thread Andrew Church 
 As I was severely bitten by this issue lately, this caught my
interest, but the "bug" reported in this so-called advisory is in fact not
a bug at all.  Observe:

>int wmprintf(const char *format, ...)/* <--- INTERESTING FUNCTION */
>{
>   char buffer[1024];
>   va_list ap;
>
>   va_start(ap, format);
>   vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING 

 This does pass a (potentially) non-constant string as the format
string to vsnprintf(), but (at least from the examples provided) wmprintf()
is always called with a constant format string, so this isn't a problem.

>   va_end(ap); 
>   send(wmsocket, buffer, strlen(buffer), 0);

 If this were a *printf() call, then we'd have problems, but all it's
doing is writing the buffer to the socket--no formatting interpretation
involved.

 As an example, let's expand one of the calls, assuming the %s
parameter is "NASTY %sTRING":

>wmprintf("USER %s\r\n", wmusername);
--> wmprintf("USER %s\r\n", "NASTY %sTRING");

>int wmprintf(const char *format, ...)
>{
--> format == "USER %s\r\n"
>   char buffer[1024];
--> buffer == undefined
>   va_list ap;
--> ap == undefined
>
>   va_start(ap, format);
--> ap == &"NASTY %sTRING"
>   vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING 
--> buffer == "USER NASTY %sTRING\r\n"
>   va_end(ap); 
--> ap == undefined
>   send(wmsocket, buffer, strlen(buffer), 0);
--> send(wmsocket, "USER NASTY %sTRING\r\n", 20, 0);
>// logdata (">> %s", buffer);
--> logdata(">> %s", "USER NASTY %sTRING");
>   return 0;
>}

 The author is even careful enough to use logdata("%s",buffer) instead
of logdata(buffer), which is the careless mistake I made and had pointed
out to me.

 Nothing to see here, move along.

>==[ Example
>
>Can't test this bug!!!
>If I'm wrong about this format string bug in Null Webmail, I'm very sorry.

  --Andrew Church
[EMAIL PROTECTED]
http://achurch.org/

IIL Advisory: Format String bug in Null Webmail (0.6.3)

2002-09-25 Thread DownBload 




 [ Illegal Instruction Labs Advisory ]
[-]
Advisory name: Format String bug in Null Webmail (0.6.3)
Advisory number: 7
Application: Null Webmail 0.6.3
Author: Dan Cahill
E-mail: [EMAIL PROTECTED]
Homepage: http://http://www.nulllogic.com/webmail/
Date: 1.07.2002
Impact: I don't know (yet)
Tested on: nowhere
Discovered by: DownBload
Mail me @: [EMAIL PROTECTED]




==[ Overview

Null Webmail is CGI interface to SMTP & POP3 server (you can read and 
send mail with your browser). It is written in C. You can find Null 
Webmail on sourceforge.




==[ Problem 

Null Webmail has format string bug in logdata() and wmprintf(), but
logdata() is inside /* */, so logdata() isn't interesting to us. 

Here comes the buggy code:

---[ wmserver.c
...
/*
void logdata(const char *format, ...)  /* <--- NOT INTERESTING */
{
char logbuffer[1024];
char file[200];
va_list ap;
FILE *fp;

#ifdef WIN32
snprintf(file, sizeof(file)-1, "C:\\webmail.log");
#else
snprintf(file, sizeof(file)-1, "/tmp/webmail.log");
#endif
fp=fopen(file, "a");
if (fp!=NULL) {
va_start(ap, format);
vsnprintf(logbuffer, sizeof(logbuffer)-1, format, ap);
va_end(ap);
fprintf(fp, "%s", logbuffer);
fclose(fp);
}
}
*/


int wmprintf(const char *format, ...)/* <--- INTERESTING FUNCTION */
{
char buffer[1024];
va_list ap;

va_start(ap, format);
vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING 
va_end(ap); 
send(wmsocket, buffer, strlen(buffer), 0);
//  logdata (">> %s", buffer);
return 0;
}
...

---[ call wmprinf() 

...
wmprintf("USER %s\r\n", wmusername);
...
wmprintf("PASS %s\r\n", wmpassword);
...
wmprintf("MAIL From: %s\r\n", ptemp);  
...
wmprintf("RCPT To: <%s>\r\n", msgaddr);
...
wmprintf("From: %s\r\n", wmaddress);
wmprintf("To: %s\r\n", msgto);
...
wmprintf("Subject: %s\r\n", msgsubject);
...
etc.

Here we have few wmprintf() calls, and I think that we can put our 
'NASTY %sTRING' in all that variables :).




==[ Example

Can't test this bug!!!
If I'm wrong about this format string bug in Null Webmail, I'm very sorry.




==[ Greetz 

Greetz goes to #hr.hackers & #linux . 
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, Fr1c,
phreax, harlequin, LekaMan, Astral and www.active-security.org (NetZero & 
Paradox).