Re: qmail remote root patch
Dinesh Nair wrote: On Mon, 19 Jan 2004, Anton Alin-Adrian wrote: Regarding latest qmail vulnerability, I coded this quickly patch. Please double-check me if I am wrong here. Forward this to freebsd-security please. 320c320 < ++pos; --- if (pos>9) ++pos; http://www.guninski.com/qmailcrash.html woulnd't it be better to switch pos from an int to a u_int ? or do specific bounds checking before incrementing pos ? this patch seems to _only_ increment pos if it's > 9, and reading the code will show you where you're going to get into some problems. :) Regards, /\_/\ "All dogs go to heaven." [EMAIL PROTECTED](0 0)http://www.alphaque.com/ +==oOO--(_)--OOo==+ | for a in past present future; do| | for b in clients employers associates relatives neighbours pets; do | | echo "The opinions here in no way reflect the opinions of my $a $b." | | done; done | +=+ Please look in the thread, I already posted: --- qmail-smtpd.c Mon Jun 15 13:53:16 1998 +++ qmail-smtpd-patched.c Mon Jan 19 15:22:23 2004 @@ -316,8 +316,8 @@ if (flagmaybex) if (pos == 7) ++*hops; if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0; if (flagmaybey) if (pos == 1) flaginheader = 0; + ++pos; } - ++pos; if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; } } switch(state) { ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: qmail remote root patch
On Mon, 19 Jan 2004, Anton Alin-Adrian wrote: > > Regarding latest qmail vulnerability, I coded this quickly patch. > > Please double-check me if I am wrong here. Forward this to > > freebsd-security please. > >320c320 > >< ++pos; > >--- > > > > > >> if (pos>9) ++pos; > http://www.guninski.com/qmailcrash.html woulnd't it be better to switch pos from an int to a u_int ? or do specific bounds checking before incrementing pos ? this patch seems to _only_ increment pos if it's > 9, and reading the code will show you where you're going to get into some problems. :) Regards, /\_/\ "All dogs go to heaven." [EMAIL PROTECTED](0 0)http://www.alphaque.com/ +==oOO--(_)--OOo==+ | for a in past present future; do| | for b in clients employers associates relatives neighbours pets; do | | echo "The opinions here in no way reflect the opinions of my $a $b." | | done; done | +=+ ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
[REVISED] Re: qmail remote root patch
The last patch I sent to the list is incomplete because it did not handle the case where there's too many short DELIVERED or RECEIVED lines, which still has potential to cause memory overwrites. I hope this time the exploit potential is completely eliminated. Cheers, Xin LI --- qmail-smtpd.c.orig Mon Jan 19 23:20:38 2004 +++ qmail-smtpd.c Mon Jan 19 23:22:36 2004 @@ -305,7 +305,7 @@ *hops = 0; flaginheader = 1; pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; - for (;;) { + for (;;((*hops) < MAXHOPS)) { substdio_get(&ssin,&ch,1); if (flaginheader) { if (pos < 9) { @@ -317,7 +317,17 @@ if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0; if (flagmaybey) if (pos == 1) flaginheader = 0; } - ++pos; + if((++pos) > 1000) { + /* + * RFC 2821 has explicitly defined a text line can contain + * 1000 characters at maximium. This is a workaround to + * stop copying characters there, but I am not sure about + * the side effect. Consider this as an attack and set hops + * to MAXHOPS to prevent future processing. + */ + *hops = MAXHOPS; + break; + } if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; } } switch(state) { ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: qmail remote root patch
This is the patch I am currently using, for qmail-smtpd.c . I don't dare to touch RFC because I did not carefully read qmail sources and I am not aware of details/impact. I think this patch is good enough to simply remove the vulnerability. I now looked more thoroughly at the code and ask other's opinions. I think this is really ok patch.. Regards, Alin. 318a319 > ++pos; 320d320 < ++pos; ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: qmail remote root patch
On page 54 of RFC2821, a text line should be shorter than 1000 characters if I did not misunderstood it. So I'd proposal the following patch, which mitigate the issue by rejecting anything which contains RFC-violation. Cheers, Xin LI --- qmail-smtpd.c.orig Mon Jan 19 21:08:35 2004 +++ qmail-smtpd.c Mon Jan 19 21:38:31 2004 @@ -317,7 +317,17 @@ if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0; if (flagmaybey) if (pos == 1) flaginheader = 0; } - ++pos; + if((++pos) > 1000) { + /* + * RFC 2821 has explicitly defined a text line can contain + * 1000 characters at maximium. This is a workaround to + * stop copying characters there, but I am not sure about + * the side effect. Consider this as an attack and set hops + * to MAXHOPS to prevent future processing. + */ + *hops = MAXHOPS; + break; + } if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; } } switch(state) { ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: qmail remote root patch
Anton Alin-Adrian wrote: Anton Alin-Adrian wrote: Regarding latest qmail vulnerability, I coded this quickly patch. Please double-check me if I am wrong here. Forward this to freebsd-security please. Regards, Alin. 320c320 < ++pos; --- if (pos>9) ++pos; ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]" I forgot to mention about vuln: http://www.guninski.com/qmailcrash.html Actually that was utterly wrong. I think this works: bash-2.05b$ diff -a qmail-smtpd.c qmail-smtpd-patched.c 318a319 > ++pos; 320d320 < ++pos; The patched function will look like: void blast(hops) int *hops; { char ch; int state; int flaginheader; int pos; /* number of bytes since most recent \n, if fih */ int flagmaybex; /* 1 if this line might match RECEIVED, if fih */ int flagmaybey; /* 1 if this line might match \r\n, if fih */ int flagmaybez; /* 1 if this line might match DELIVERED, if fih */ state = 1; *hops = 0; flaginheader = 1; pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; for (;;) { substdio_get(&ssin,&ch,1); if (flaginheader) { if (pos < 9) { if (ch != "delivered"[pos]) if (ch != "DELIVERED"[pos]) flagmaybez = 0; if (flagmaybez) if (pos == 8) ++*hops; if (pos < 8) if (ch != "received"[pos]) if (ch != "RECEIVED"[pos]) flagmaybex = 0; if (flagmaybex) if (pos == 7) ++*hops; if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0; if (flagmaybey) if (pos == 1) flaginheader = 0; ++pos; } if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; } } switch(state) { case 0: if (ch == '\n') straynewline(); if (ch == '\r') { state = 4; continue; } break; case 1: /* \r\n */ if (ch == '\n') straynewline(); if (ch == '.') { state = 2; continue; } if (ch == '\r') { state = 4; continue; } state = 0; break; case 2: /* \r\n + . */ if (ch == '\n') straynewline(); if (ch == '\r') { state = 3; continue; } state = 0; break; case 3: /* \r\n + .\r */ if (ch == '\n') return; put("."); put("\r"); if (ch == '\r') { state = 4; continue; } state = 0; break; case 4: /* + \r */ if (ch == '\n') { state = 1; break; } if (ch != '\r') { put("\r"); state = 0; } } put(&ch); } } So what I did is move ++pos; into the if (pos < 9) block. Originally it is right after the } ending that block. This works if pos gets incremented as pos=1,2,.9,10,...,max,...,upper-overflow(negative). This utterly fails if pos is not incremented like that. Any ideas? I think it works, after a first look at the incrementation loop. Sorry for all other mails, I am stressed . (need to calm down i know) Alin. ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: qmail remote root patch
Sorry I don't think so. This will cause pos to stay at 0 and therefore infinitely loop. I am working on a new patch. Cheers, Xin LI - Original Message - From: "Anton Alin-Adrian" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, January 19, 2004 8:42 PM Subject: qmail remote root patch > Regarding latest qmail vulnerability, I coded this quickly patch. Please > double-check me if I am wrong here. Forward this to freebsd-security please. > > > Regards, > Alin. > ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: qmail remote root patch
Anton Alin-Adrian wrote: Regarding latest qmail vulnerability, I coded this quickly patch. Please double-check me if I am wrong here. Forward this to freebsd-security please. Regards, Alin. 320c320 < ++pos; --- if (pos>9) ++pos; ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]" I forgot to mention about vuln: http://www.guninski.com/qmailcrash.html ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
qmail remote root patch
Regarding latest qmail vulnerability, I coded this quickly patch. Please double-check me if I am wrong here. Forward this to freebsd-security please. Regards, Alin. 320c320 < ++pos; --- > if (pos>9) ++pos; ___ [EMAIL PROTECTED] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"