[Mimedefang] Details of 2.59, 2.60 vulnerability
David F. Skoll
dfs at roaringpenguin.com
Mon Feb 19 15:21:21 EST 2007
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I promised to give details of the vulnerability in 2.59 and 2.60. So
for you C coders... here you go.
MIMEDefang 2.59 and 2.60 had a function like this:
static void
append_percent_encoded(dynamic_buffer *dbuf,
char const *buf)
{
char pbuf[5];
int c;
while ((c = *buf++) != 0) {
if (c <= 32 || c > 126 || c == '%') {
sprintf(pbuf, "%%%02X", (unsigned int) c); /*** NOTE ***/
dbuf_puts(dbuf, pbuf);
} else {
dbuf_putc(dbuf, c);
}
}
}
It got passed (among other things) the message subject. However,
on architectures that use a signed representation for "char", the
sprintf statement on the line marked NOTE could try to fill "pbuf"
with something like this:
"%FFFFFFAE\0"
That would overflow pbuf. An attacker could carefully choose a
subject line that overwrites the stack, albeit with a limited number
of values: The first two bytes overwritten would be 0x46 (ASCII for
'F'), the next byte could range from 0x38 to 0x39 or 0x41 to 0x46, the
next one could range from 0x30 to 0x39 or 0x41 to 0x46, and the last
one would have to be zero.
On machines with 64-bit "ints", you'd get 8 more "F's", although I
don't know of any machines with 64-bit ints. (64-bit longs, yes, but
not ints.)
It's easy to crash the milter this way. It's not clear to me that you
can execute arbitrary code (on many machines, the first four bytes of
overflow would more-or-less harmlessly modify "c", while only the last
zero byte would affect the rest of the stack), but it's also not clear
to me that you can't. So be safe... upgrade to 2.61 if you're running
2.59 or 2.60.
Regards,
David.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFF2gbBwYQuKhJvQuARAkkLAJ4wOOqLD9mGnEx//EWDlOWR0eCueQCfdxnr
Bake8rNc9wj6nhQd3PUCyjw=
=U29t
-----END PGP SIGNATURE-----
More information about the MIMEDefang
mailing list