SEC Consult Security Advisory < 20071031-0 >
====================================================================================
                  title: Perdition IMAP proxy str_vwrite format string
vulnerability
                program: Perdition Mail Retrieval Proxy
     vulnerable version: <=1.17
               homepage: http://www.vergenet.net/
                  found: August 2007
                     by: Bernhard Mueller / SEC Consult
         permanent link: http://www.sec-consult.com/300.html
====================================================================================

Vendor description:
---------------

Perdition is a fully featured POP3 and IMAP4 proxy server. It is able to
handle both SSL and non-SSL connections and redirect users to a
real-server based on a database lookup.


Vulnerability overview:
---------------

Perdition IMAPD is affected by a format string bug in one of its IMAP
output-string formatting functions. The bug allows the execution of
arbitrary code on the affected server. A successful exploit does not
require prior authentication.


Vulnerability details:
--------------- 

1.) In certain situations, the IMAP-Tag (first part of IMAP-command) is
copied into a character buffer without validation. This buffer is then
ultimately passed to vsnprintf() as a format string.

2.) Before the call to vsnprintf, a validation of the format string is
performed as a protection against format string injection.

>From str.c:

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
168: static const char *__str_vwrite(io_t * io, const flag_t flag, 
169:     const size_t nargs, const char *fmt, va_list ap,
170:     int *bytes)
171: {
(...)
186:   fmt_args = 0;
187:   for (place = 0; fmt[place] != '\0'; place++) {
188:     if (fmt[place] == '%')
189:       fmt[place + 1] == '%' ? place++ : fmt_args++;
190:   }
191:   if (fmt_args != nargs) {
(...)
195:     VANESSA_LOGGER_DEBUG_UNSAFE("nargs and fmt mismatch: "
196:         "%d args requested, %d args in format",
197:              nargs, fmt_args);
198:     return (NULL);
199:   }
200: 
201:   *bytes = vsnprintf(__str_write_buf, STR_WRITE_BUF_LEN - 2, fmt,
ap);
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


In line 187-191, the actual number of format identifiers is compared to
supposed number given in the parameter nargs. This check can however be
bypassed by injecting a null-byte in the end of the IMAP-tag. The
null-byte cuts of the rest of the string (with the original format
identifiers intended by the programmer). Therefore it is possible to
inject 'nargs' arbitrary format identifiers within the IMAP tag. 
In practice, only a single format identifier can be controlled by the
attacker. This is not very nice to exploit, however arbitrary code
execution is still possible. For example, multiple successive
single-byte-writes on a global function pointer can be used to gain
control of the instruction pointer.
Due to the nature of the vulnerability, a good exploit can bypass most
OS security features (non-exec-stack, ASLR, etc.) as well as compiler
features (stack canaries,...).


Proof-of-Concept
----------------

SEC Consult has created a working proof-of-concept
(code-execution-)exploit, which will not be released to the public at
this time.
The following can be used to test for the vulnerability:

perl -e 'print "abc%n\x00\n"' | nc perdition.example.com 143


Vulnerable versions:
---------------

Perdition IMAPD <= 1.17

The vulnerability has been fixed in Perdition v1.17.1. The new tarball
and Debian packages can be found at:

http://www.vergenet.net/linux/perdition/download/1.17.1/
http://www.vergenet.net/linux/perdition/download/latest/


vendor status:
---------------
vendor notified: 2007-10-12
vendor response: 2007-10-12
patch available: 2007-10-31


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
EOF Bernhard Mueller / research [AT] sec-consult [DOT] com