w00w00 Security Advisory - qmail-pop3d may pass an overly long command argument to it's password authentication service. When vpopmail is used to authenticate user information a remote attacker may compromise the privilege level that vpopmail is running, naturally root.
3bd0074f38eb47b414a84c38444aed7fa25ca801a4f14f89d10b39ad7380dd2d
w00w00 Security Advisory - http://www.w00w00.org/
Title: qmail-pop3d with vpopmail/vchkpw
Platforms: Any
Discovered: 7th January, 2000
Local: Yes.
Remote: Yes.
Author: K2 <ktwo@ktwo.ca>
Vendor Status: Notified.
Last Updated: N/A
1. Overview
qmail-pop3d may pass an overly long command argument to it's password
authentication service. When vpopmail is used to authenticate user
information a remote attacker may compromise the privilege level that
vpopmail is running, naturally root.
2. Background
It is Qmail's nonconformance to the pop3 specification that allows
this bug to manifest itself. qmail-pop3d trust's that it's checkpassword
mechanism will support the same undocumented "features" as it dose, it
is this extra functionality that breaks vpopmail and RFC1939.
>>From RFC1939 [Post Office Protocol - Version 3]
--------------------------------------------------------
Commands in the POP3 consist of a caseinsensitive keyword, possibly
followed by one or more arguments. All commands are terminated by a
CRLF pair. Keywords and arguments consist of printable ASCII
characters. Keywords and arguments are each separated by a single
SPACE character. Keywords are three or four characters long. Each
argument may be up to 40 characters long.
--------------------------------------------------------
>>From BLURB3 (qmail-1.03)
--------------------------------------------------------
POP3 service (qmail-popup, qmail-pop3d):
* RFC 1939
* UIDL support
* TOP support
* APOP hook
* modular password checking (checkpassword, available separately)
--------------------------------------------------------
3. Issue
qmail-pop3d claims compliance to RFC1939, however this is not the case
qmail breaks that compliance by allowing overly long argument lengths
to be processed. qmail then passes control to a process without
documenting this added bug/feature.
4. Impact
A remote attacker may attain the privilege level of the authentication
module.
Sample exploit code can be found at http://www.ktwo.ca/security.html
5. Recommendation
Impose the 40 character limitation specified by RFC1939 into qmail.
Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch
6. References
RFC1939
qmail-1.03/BLURB3
--------------------------------------------------------
K2
www.ktwo.ca / ktwo@ktwo.ca