Re: qmail remote root patch
Anton Alin-Adrian wrote: Regarding latest qmail vulnerability, I coded this quickly patch. Please double-check me if I am wrong here. Forward this to freebsd-security please. Regards, Alin. 320c320 ++pos; --- if (pos9) ++pos; ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED] I forgot to mention about vuln: http://www.guninski.com/qmailcrash.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qmail remote root patch
Sorry I don't think so. This will cause pos to stay at 0 and therefore infinitely loop. I am working on a new patch. Cheers, Xin LI - Original Message - From: Anton Alin-Adrian [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, January 19, 2004 8:42 PM Subject: qmail remote root patch Regarding latest qmail vulnerability, I coded this quickly patch. Please double-check me if I am wrong here. Forward this to freebsd-security please. Regards, Alin. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qmail remote root patch
Anton Alin-Adrian wrote:
Anton Alin-Adrian wrote:
Regarding latest qmail vulnerability, I coded this quickly patch.
Please double-check me if I am wrong here. Forward this to
freebsd-security please.
Regards,
Alin.
320c320
++pos;
---
if (pos9) ++pos;
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to
[EMAIL PROTECTED]
I forgot to mention about vuln:
http://www.guninski.com/qmailcrash.html
Actually that was utterly wrong. I think this works:
bash-2.05b$ diff -a qmail-smtpd.c qmail-smtpd-patched.c
318a319
++pos;
320d320
++pos;
The patched function will look like:
void blast(hops)
int *hops;
{
char ch;
int state;
int flaginheader;
int pos; /* number of bytes since most recent \n, if fih */
int flagmaybex; /* 1 if this line might match RECEIVED, if fih */
int flagmaybey; /* 1 if this line might match \r\n, if fih */
int flagmaybez; /* 1 if this line might match DELIVERED, if fih */
state = 1;
*hops = 0;
flaginheader = 1;
pos = 0; flagmaybex = flagmaybey = flagmaybez = 1;
for (;;) {
substdio_get(ssin,ch,1);
if (flaginheader) {
if (pos 9) {
if (ch != delivered[pos]) if (ch != DELIVERED[pos])
flagmaybez = 0;
if (flagmaybez) if (pos == 8) ++*hops;
if (pos 8)
if (ch != received[pos]) if (ch != RECEIVED[pos])
flagmaybex = 0;
if (flagmaybex) if (pos == 7) ++*hops;
if (pos 2) if (ch != \r\n[pos]) flagmaybey = 0;
if (flagmaybey) if (pos == 1) flaginheader = 0;
++pos;
}
if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; }
}
switch(state) {
case 0:
if (ch == '\n') straynewline();
if (ch == '\r') { state = 4; continue; }
break;
case 1: /* \r\n */
if (ch == '\n') straynewline();
if (ch == '.') { state = 2; continue; }
if (ch == '\r') { state = 4; continue; }
state = 0;
break;
case 2: /* \r\n + . */
if (ch == '\n') straynewline();
if (ch == '\r') { state = 3; continue; }
state = 0;
break;
case 3: /* \r\n + .\r */
if (ch == '\n') return;
put(.);
put(\r);
if (ch == '\r') { state = 4; continue; }
state = 0;
break;
case 4: /* + \r */
if (ch == '\n') { state = 1; break; }
if (ch != '\r') { put(\r); state = 0; }
}
put(ch);
}
}
So what I did is move ++pos; into the if (pos 9) block. Originally it
is right after the } ending that block.
This works if pos gets incremented as
pos=1,2,.9,10,...,max,...,upper-overflow(negative).
This utterly fails if pos is not incremented like that.
Any ideas? I think it works, after a first look at the incrementation loop.
Sorry for all other mails, I am stressed . (need to calm down i know)
Alin.
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qmail remote root patch
On page 54 of RFC2821, a text line should be shorter than 1000 characters if
I did not misunderstood it. So I'd proposal the following patch, which
mitigate the issue by rejecting anything which contains RFC-violation.
Cheers,
Xin LI
--- qmail-smtpd.c.orig Mon Jan 19 21:08:35 2004
+++ qmail-smtpd.c Mon Jan 19 21:38:31 2004
@@ -317,7 +317,17 @@
if (pos 2) if (ch != \r\n[pos]) flagmaybey = 0;
if (flagmaybey) if (pos == 1) flaginheader = 0;
}
- ++pos;
+ if((++pos) 1000) {
+ /*
+ * RFC 2821 has explicitly defined a text line can contain
+ * 1000 characters at maximium. This is a workaround to
+ * stop copying characters there, but I am not sure about
+ * the side effect. Consider this as an attack and set hops
+ * to MAXHOPS to prevent future processing.
+ */
+ *hops = MAXHOPS;
+ break;
+ }
if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez =
1; }
}
switch(state) {
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qmail remote root patch
This is the patch I am currently using, for qmail-smtpd.c . I don't dare to touch RFC because I did not carefully read qmail sources and I am not aware of details/impact. I think this patch is good enough to simply remove the vulnerability. I now looked more thoroughly at the code and ask other's opinions. I think this is really ok patch.. Regards, Alin. 318a319 ++pos; 320d320 ++pos; ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
[REVISED] Re: qmail remote root patch
The last patch I sent to the list is incomplete because it did not handle
the case where there's too many short DELIVERED or RECEIVED lines, which
still has potential to cause memory overwrites.
I hope this time the exploit potential is completely eliminated.
Cheers,
Xin LI
--- qmail-smtpd.c.orig Mon Jan 19 23:20:38 2004
+++ qmail-smtpd.c Mon Jan 19 23:22:36 2004
@@ -305,7 +305,7 @@
*hops = 0;
flaginheader = 1;
pos = 0; flagmaybex = flagmaybey = flagmaybez = 1;
- for (;;) {
+ for (;;((*hops) MAXHOPS)) {
substdio_get(ssin,ch,1);
if (flaginheader) {
if (pos 9) {
@@ -317,7 +317,17 @@
if (pos 2) if (ch != \r\n[pos]) flagmaybey = 0;
if (flagmaybey) if (pos == 1) flaginheader = 0;
}
- ++pos;
+ if((++pos) 1000) {
+ /*
+ * RFC 2821 has explicitly defined a text line can contain
+ * 1000 characters at maximium. This is a workaround to
+ * stop copying characters there, but I am not sure about
+ * the side effect. Consider this as an attack and set hops
+ * to MAXHOPS to prevent future processing.
+ */
+ *hops = MAXHOPS;
+ break;
+ }
if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez =
1; }
}
switch(state) {
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qmail remote root patch
On Mon, 19 Jan 2004, Anton Alin-Adrian wrote: Regarding latest qmail vulnerability, I coded this quickly patch. Please double-check me if I am wrong here. Forward this to freebsd-security please. 320c320 ++pos; --- if (pos9) ++pos; http://www.guninski.com/qmailcrash.html woulnd't it be better to switch pos from an int to a u_int ? or do specific bounds checking before incrementing pos ? this patch seems to _only_ increment pos if it's 9, and reading the code will show you where you're going to get into some problems. :) Regards, /\_/\ All dogs go to heaven. [EMAIL PROTECTED](0 0)http://www.alphaque.com/ +==oOO--(_)--OOo==+ | for a in past present future; do| | for b in clients employers associates relatives neighbours pets; do | | echo The opinions here in no way reflect the opinions of my $a $b. | | done; done | +=+ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: qmail remote root patch
Dinesh Nair wrote:
On Mon, 19 Jan 2004, Anton Alin-Adrian wrote:
Regarding latest qmail vulnerability, I coded this quickly patch.
Please double-check me if I am wrong here. Forward this to
freebsd-security please.
320c320
++pos;
---
if (pos9) ++pos;
http://www.guninski.com/qmailcrash.html
woulnd't it be better to switch pos from an int to a u_int ? or do
specific bounds checking before incrementing pos ? this patch seems to
_only_ increment pos if it's 9, and reading the code will show you where
you're going to get into some problems. :)
Regards, /\_/\ All dogs go to heaven.
[EMAIL PROTECTED](0 0)http://www.alphaque.com/
+==oOO--(_)--OOo==+
| for a in past present future; do|
| for b in clients employers associates relatives neighbours pets; do |
| echo The opinions here in no way reflect the opinions of my $a $b. |
| done; done |
+=+
Please look in the thread, I already posted:
--- qmail-smtpd.c Mon Jun 15 13:53:16 1998
+++ qmail-smtpd-patched.c Mon Jan 19 15:22:23 2004
@@ -316,8 +316,8 @@
if (flagmaybex) if (pos == 7) ++*hops;
if (pos 2) if (ch != \r\n[pos]) flagmaybey = 0;
if (flagmaybey) if (pos == 1) flaginheader = 0;
+ ++pos;
}
- ++pos;
if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; }
}
switch(state) {
___
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to [EMAIL PROTECTED]
