Re: [vchkpw] Qmail SMTP AUTH + vchkpw on 64 bit...
Am Mittwoch, 18. August 2004 23:22 schrieb Matthew Walker: > I saw this was discussed a month or two ago, but no conclusion seemed > to be reached. I have been the one who had this problem. We reached some kind of conclusion (see below). > > I have qmail 1.03, and vpopmail 5.4 installed, and everything works > except for SMTP AUTH. I get segfaults or bad user errors, depending on > whether or not vchkpw is owned by root or by the vpopmail user. I tried also all these combinations with no success. > > Here's a transcript from a session where vchkpw was owned by vpopmail. > When it's owned by root, the last line changes to simply say the > authentication failed. > [...] > 454 oops, problem with child and I can't auth (#4.3.0) Exactly! I wrote a bug-report, but nobody seemed to be interested. (I will have a quick look into the tracker when I've finished this mail, but I don't think anything happened). Erwin Hoffmann (www.fehcom.de) spent some time looking through the code. His personal summary was that the easiest way would be to rewrite the whole vchkpw because there seems to be quite much unused and/or useless (and buggy(?)) code which makes it really hard to do a debug of this problem. But: We found a workaround! 1. Take vpopmail in any version of your choice, configure, compile and install it. 2. Take vpopmail-5.2.2, configure and compile it. Do NOT install it! 3. Rename your current '/var/vpopmail/bin/vchkpw' in whatever you want. 4. Copy the vchkpw-binary from your vpopmail-5.2.2-directory into '/var/vpopmail/bin/' 5. Test it. See that it works. Have fun. There is only one disadvantage: CRAM-MD5 doesn't work with 5.2.2. Everything else will work fine (I am running it against MySQL without any problems). HTH Greetings Tobias
[vchkpw] vpopmail <= 5.4.2 (sybase vulnerability) (fwd)
I don't know if this is even relevant anymore (i.e. has been fixed) but
this showed up on bugtraq yesterday. Figured I should pass it along, just
in case.
Sincerely,
Chris Ess
System Administrator / CDTT (Certified Duct Tape Technician)
-- Forwarded message --
Date: 17 Aug 2004 10:44:52 -
From: Jérôme ATHIAS <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: vpopmail <= 5.4.2 (sybase vulnerability)
Bug: format string and buffer overflow (sybase)
Product: vpopmail <= 5.4.2 (sybase vulnerability)
Author: Werro [EMAIL PROTECTED]
Realease Date : 12/08/04
Risk: Low
Vendor status: Vendor is in a big shit :)
Reference: http://web-hack.ru/unl0ck/advisories/
Overview:
vpopmail is a set of programs for creating and managing
multiple virtual domains on a qmail server.
Details:
Bugs were founded in SyBase. In vsybase.c file.
---\
char dirbuf[156]; \__Vulnerability___
...
|
if ( strlen(dir) > 0 )
|
{
|
sprintf(dirbuf,"%s/%s/%s", dom_dir,dir,user);
|
^^^ - buffer overflow
|
}else{
|
sprintf(dirbuf, "%s/%s", dom_dir, user);
|
^^^ - buffer overflow
|
}
|
...
|
|
if ( site_size == LARGE_SITE ) {
|
sprintf( SqlBuf, LARGE_INSERT, domstr,
|
user, pass, pop, gecos, dirbuf, quota);
|
^^^ - format string
|
} else {
|
sprintf( SqlBuf, SMALL_INSERT,
|
SYBASE_DEFAULT_TABLE, user, domain, pass, pop, gecos, dirbuf, quota);
|
} ^^^ - format string
__|
/
Two vulnerability : format string and buffer overflow.
Latest Version is Vulnerable.
To avoid this bugs, you must use snprintf() with format like "%s".
12/08/04.
(c) by unl0ck team.
http://web-hack.ru/unl0ck
Re: [vchkpw] Qmail SMTP AUTH + vchkpw on 64 bit...
Thank you /so/ much for this information! I'll be attempting this fix over the next hour or two. On Thu, 19 Aug 2004 10:10:04 +0200, Linux-Guru <[EMAIL PROTECTED]> wrote: > Am Mittwoch, 18. August 2004 23:22 schrieb Matthew Walker: > > I saw this was discussed a month or two ago, but no conclusion seemed > > to be reached. > I have been the one who had this problem. > We reached some kind of conclusion (see below). > > > > > I have qmail 1.03, and vpopmail 5.4 installed, and everything works > > except for SMTP AUTH. I get segfaults or bad user errors, depending on > > whether or not vchkpw is owned by root or by the vpopmail user. > > I tried also all these combinations with no success. > > > > > Here's a transcript from a session where vchkpw was owned by vpopmail. > > When it's owned by root, the last line changes to simply say the > > authentication failed. > > > [...] > > > 454 oops, problem with child and I can't auth (#4.3.0) > > Exactly! > I wrote a bug-report, but nobody seemed to be interested. (I will have a quick > look into the tracker when I've finished this mail, but I don't think > anything happened). > > Erwin Hoffmann (www.fehcom.de) spent some time looking through the code. His > personal summary was that the easiest way would be to rewrite the whole > vchkpw because there seems to be quite much unused and/or useless (and > buggy(?)) code which makes it really hard to do a debug of this problem. > > But: We found a workaround! > 1. Take vpopmail in any version of your choice, configure, compile and install > it. > 2. Take vpopmail-5.2.2, configure and compile it. Do NOT install it! > 3. Rename your current '/var/vpopmail/bin/vchkpw' in whatever you want. > 4. Copy the vchkpw-binary from your vpopmail-5.2.2-directory into > '/var/vpopmail/bin/' > 5. Test it. See that it works. Have fun. > There is only one disadvantage: CRAM-MD5 doesn't work with 5.2.2. > Everything else will work fine (I am running it against MySQL without any > problems). > > HTH > > Greetings > > Tobias >
Re: [vchkpw] Qmail SMTP AUTH + vchkpw on 64 bit...
Success! On Thu, 19 Aug 2004 09:45:38 -0600, Matthew Walker <[EMAIL PROTECTED]> wrote: > Thank you /so/ much for this information! I'll be attempting this fix > over the next hour or two. > > > > On Thu, 19 Aug 2004 10:10:04 +0200, Linux-Guru <[EMAIL PROTECTED]> wrote: > > Am Mittwoch, 18. August 2004 23:22 schrieb Matthew Walker: > > > I saw this was discussed a month or two ago, but no conclusion seemed > > > to be reached. > > I have been the one who had this problem. > > We reached some kind of conclusion (see below). > > > > > > > > I have qmail 1.03, and vpopmail 5.4 installed, and everything works > > > except for SMTP AUTH. I get segfaults or bad user errors, depending on > > > whether or not vchkpw is owned by root or by the vpopmail user. > > > > I tried also all these combinations with no success. > > > > > > > > Here's a transcript from a session where vchkpw was owned by vpopmail. > > > When it's owned by root, the last line changes to simply say the > > > authentication failed. > > > > > [...] > > > > > 454 oops, problem with child and I can't auth (#4.3.0) > > > > Exactly! > > I wrote a bug-report, but nobody seemed to be interested. (I will have a quick > > look into the tracker when I've finished this mail, but I don't think > > anything happened). > > > > Erwin Hoffmann (www.fehcom.de) spent some time looking through the code. His > > personal summary was that the easiest way would be to rewrite the whole > > vchkpw because there seems to be quite much unused and/or useless (and > > buggy(?)) code which makes it really hard to do a debug of this problem. > > > > But: We found a workaround! > > 1. Take vpopmail in any version of your choice, configure, compile and install > > it. > > 2. Take vpopmail-5.2.2, configure and compile it. Do NOT install it! > > 3. Rename your current '/var/vpopmail/bin/vchkpw' in whatever you want. > > 4. Copy the vchkpw-binary from your vpopmail-5.2.2-directory into > > '/var/vpopmail/bin/' > > 5. Test it. See that it works. Have fun. > > There is only one disadvantage: CRAM-MD5 doesn't work with 5.2.2. > > Everything else will work fine (I am running it against MySQL without any > > problems). > > > > HTH > > > > Greetings > > > > Tobias > > >
Re: [vchkpw] vpopmail <= 5.4.2 (sybase vulnerability) (fwd)
On Aug 19, 2004, at 7:37 AM, Chris Ess wrote: I don't know if this is even relevant anymore (i.e. has been fixed) but this showed up on bugtraq yesterday. Figured I should pass it along, just in case. Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician) -- Forwarded message -- Date: 17 Aug 2004 10:44:52 - From: Jérôme ATHIAS <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Subject: vpopmail <= 5.4.2 (sybase vulnerability) Bug: format string and buffer overflow (sybase) Product: vpopmail <= 5.4.2 (sybase vulnerability) Author: Werro [EMAIL PROTECTED] Realease Date : 12/08/04 Risk: Low Vendor status: Vendor is in a big shit :) Reference: http://web-hack.ru/unl0ck/advisories/ Overview: vpopmail is a set of programs for creating and managing multiple virtual domains on a qmail server. Details: Bugs were founded in SyBase. In vsybase.c file. Thanks for sending this. I started addressing the SQL injection vulnerabilities last March with code that made it into the 5.5.0 development release. That code flowed into the 5.4.6 release on June 30th. I had marked that release as "development" instead of "stable", but it's in use by many sites in production, so I'll switch it over to "stable" today. Vpopmail sites using any SQL backend (i.e., non-cdb sites) should upgrade to the 5.4.6 release to close off the SQL injection vulnerabilities in previous releases. The vulnerabilities made it possible for a remote attacker to insert additional SQL commands into data passed into POP/IMAP login, SMTP AUTH, or a QmailAdmin login. The possible buffer overflow is in the code for adding a user, so it would only be exploitable by an admin. Even so, I've fixed the problem in CVS and the change will be in the next stable release. I've also contacted the publisher of the original report (but have not posted a followup to bugtraq since I'm not a subscriber). -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] vpopmail <= 5.4.2 (sybase vulnerability) (fwd)
On Thu, 19 Aug 2004, Tom Collins wrote: [...] > I've also contacted the publisher of the original report (but have not > posted a followup to bugtraq since I'm not a subscriber). I can post one if you and Mr. Athias would like. (I think that between the three of us, the proper people to follow up are either yourself or Mr. Athias. Personally, I'd just end up linking to the email on the list archives since that seems the proper thing to do. Also, I don't think you have to be a subscriber to post to bugtraq. I could be wrong though.) Sincerely, Chris Ess System Administrator / CDTT (Certified Duct Tape Technician)
Re: [vchkpw] Qmail SMTP AUTH + vchkpw on 64 bit...
Could someone with this problem use strace (or ptrace?) to get a trace of what happens when vchkpw is called? It should be as easy as adding: "/usr/bin/strace -ff -o /tmp/vchkpw.dump" right before "/home/vpopmail/bin/vchkpw" in the qmail-smtpd/run file. Attempt a SMTP AUTH connection, and then send me a copy of the /tmp/vchkpw.dump file and I'll try to isolate the source of the problem. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] Qmail SMTP AUTH + vchkpw on 64 bit...
I can do this over the weekend, but I can't right now since the system I'm having troubles on is a production server. I'll get back to you though. On Thu, 19 Aug 2004 10:36:47 -0700, Tom Collins <[EMAIL PROTECTED]> wrote: > Could someone with this problem use strace (or ptrace?) to get a trace > of what happens when vchkpw is called? > > It should be as easy as adding: "/usr/bin/strace -ff -o > /tmp/vchkpw.dump" right before "/home/vpopmail/bin/vchkpw" in the > qmail-smtpd/run file. > > Attempt a SMTP AUTH connection, and then send me a copy of the > /tmp/vchkpw.dump file and I'll try to isolate the source of the > problem. > > -- > Tom Collins - [EMAIL PROTECTED] > QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ > Info on the Sniffter hand-held Network Tester: http://sniffter.com/ > >
[vchkpw] Is developement still happening?
I saw a message earlier today from Tom Collins about 5.4.6, and it got me thinking that things seem to have slowed a lot with development. I see that the last SF update is 5 months ago for 5.5.0. I'd sent some patches in that you mentioned you were interested in, and I'd really, really like to see the features make it out since its a huge hassle saver (the libvpopmail.so stuff), and I'd be more than happy to rework the patches if there was something about them you didn't like. There're also several other interesting looking patches hanging out there unassigned with no updates. Just curious to see where things stand. Cheers, Nick Harring
Re: [vchkpw] POP Error: 'vpopmail.users' doesn't exist
On Aug 19, 2004, at 2:09 PM, Fred Colclough wrote: Indeed there is NO vpopmail.users table, since I've set '--disable-many-domains' in vpopmail. So it should be looking in the vpopmail MySql database, which looks like this: Is that a recent change? Did you recompile/install courier-imap after compiling vpopmail with that option? If not, then you should. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] Is developement still happening?
On Aug 19, 2004, at 12:32 PM, Nicholas Harring wrote: I saw a message earlier today from Tom Collins about 5.4.6, and it got me thinking that things seem to have slowed a lot with development. I see that the last SF update is 5 months ago for 5.5.0. I'd sent some patches in that you mentioned you were interested in, and I'd really, really like to see the features make it out since its a huge hassle saver (the libvpopmail.so stuff), and I'd be more than happy to rework the patches if there was something about them you didn't like. There're also several other interesting looking patches hanging out there unassigned with no updates. Development is still happening, but very slowly. I'm focused on the 5.4 series, and Rick Widmer and Ken Jones have been doing work in 5.5. Check CVS for the current 5.5 version -- it's focused on a vpopmail daemon that PHP scripts can call. I am interested in the dynamically-linked libvpopmail, and spent some time working on changes to the build files to make it happen. Unfortunately, I never got it into the current build. Please let me know what other patches you'd like to see make it into 5.4 and I'll either get them in or comment on why I haven't added them. -- Tom Collins - [EMAIL PROTECTED] QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: http://sniffter.com/
Re: [vchkpw] POP Error: 'vpopmail.users' doesn't exist
Tom, No recent change. This is a brand new install. Thanks. -Fred. On 19 Aug 2004 at 14:27, Tom Collins wrote: > On Aug 19, 2004, at 2:09 PM, Fred Colclough wrote: > > Indeed there is NO vpopmail.users table, since I've set > > '--disable-many-domains' in vpopmail. So it should be looking in > > the vpopmail MySql database, which looks like this: > > Is that a recent change? Did you recompile/install courier-imap after > compiling vpopmail with that option? If not, then you should. > > -- > Tom Collins - [EMAIL PROTECTED] > QmailAdmin: http://qmailadmin.sf.net/ Vpopmail: > http://vpopmail.sf.net/ Info on the Sniffter hand-held Network Tester: > http://sniffter.com/ >
[vchkpw] questions on implementing/converting
I actually have two questions. The first one is if anybody has experience with converting a qmail system from vmailmgr to vpopmail. We have devised ways of doing it, but if anybody has already done it and has to do's/don'ts/pointers they came across I would appreciate it if you would share them. Second question. We have a lot of domains that resided on our server and due to directory limitations, can not have all the domains reside in ~path/vpopmail/domains. Is there any good solutions that people know of? The only one that we have come up with is to modify the code to add the domain directories into sublevels (ie ~path/vpopmail/domains/a-e/, ~path/vpopmail/domains/f-n, etc). After considering this, I realized that this probably would require a lot of changes in the code which is possible but we're hoping for a shorter time frame to get it up and going.
