[ Illegal Instruction Labs Advisory ]
[-]
Advisory name: Format String bug in Null Webmail (0.6.3)
Advisory number: 7
Application: Null Webmail 0.6.3
Author: Dan Cahill
E-mail: [EMAIL PROTECTED]
Homepage: http://http://www.nulllogic.com/webmail/
Date: 1.07.2002
Impact: I don't know (yet)
Tested on: nowhere
Discovered by: DownBload
Mail me @: [EMAIL PROTECTED]
==[ Overview
Null Webmail is CGI interface to SMTP & POP3 server (you can read and
send mail with your browser). It is written in C. You can find Null
Webmail on sourceforge.
==[ Problem
Null Webmail has format string bug in logdata() and wmprintf(), but
logdata() is inside /* */, so logdata() isn't interesting to us.
Here comes the buggy code:
---[ wmserver.c
...
/*
void logdata(const char *format, ...) /* <--- NOT INTERESTING */
{
char logbuffer[1024];
char file[200];
va_list ap;
FILE *fp;
#ifdef WIN32
snprintf(file, sizeof(file)-1, "C:\\webmail.log");
#else
snprintf(file, sizeof(file)-1, "/tmp/webmail.log");
#endif
fp=fopen(file, "a");
if (fp!=NULL) {
va_start(ap, format);
vsnprintf(logbuffer, sizeof(logbuffer)-1, format, ap);
va_end(ap);
fprintf(fp, "%s", logbuffer);
fclose(fp);
}
}
*/
int wmprintf(const char *format, ...)/* <--- INTERESTING FUNCTION */
{
char buffer[1024];
va_list ap;
va_start(ap, format);
vsnprintf(buffer, sizeof(buffer)-1, format, ap); // <- INTERESTING
va_end(ap);
send(wmsocket, buffer, strlen(buffer), 0);
// logdata (">> %s", buffer);
return 0;
}
...
---[ call wmprinf()
...
wmprintf("USER %s\r\n", wmusername);
...
wmprintf("PASS %s\r\n", wmpassword);
...
wmprintf("MAIL From: %s\r\n", ptemp);
...
wmprintf("RCPT To: <%s>\r\n", msgaddr);
...
wmprintf("From: %s\r\n", wmaddress);
wmprintf("To: %s\r\n", msgto);
...
wmprintf("Subject: %s\r\n", msgsubject);
...
etc.
Here we have few wmprintf() calls, and I think that we can put our
'NASTY %sTRING' in all that variables :).
==[ Example
Can't test this bug!!!
If I'm wrong about this format string bug in Null Webmail, I'm very sorry.
==[ Greetz
Greetz goes to #hr.hackers & #linux .
Special greetz goes to (rand()): St0rm, BoyScout, h4z4rd, fi, Sunnis, Fr1c,
phreax, harlequin, LekaMan, Astral and www.active-security.org (NetZero &
Paradox).