w00w00 Security Advisory - http://www.w00w00.org/ Title: qmail-pop3d with vpopmail/vchkpw Platforms: Any Discovered: 7th January, 2000 Local: Yes. Remote: Yes. Author: K2 Vendor Status: Notified. Last Updated: N/A 1. Overview qmail-pop3d may pass an overly long command argument to it's password authentication service. When vpopmail is used to authenticate user information a remote attacker may compromise the privilege level that vpopmail is running, naturally root. 2. Background It is Qmail's nonconformance to the pop3 specification that allows this bug to manifest itself. qmail-pop3d trust's that it's checkpassword mechanism will support the same undocumented "features" as it dose, it is this extra functionality that breaks vpopmail and RFC1939. >>From RFC1939 [Post Office Protocol - Version 3] -------------------------------------------------------- Commands in the POP3 consist of a caseinsensitive keyword, possibly followed by one or more arguments. All commands are terminated by a CRLF pair. Keywords and arguments consist of printable ASCII characters. Keywords and arguments are each separated by a single SPACE character. Keywords are three or four characters long. Each argument may be up to 40 characters long. -------------------------------------------------------- >>From BLURB3 (qmail-1.03) -------------------------------------------------------- POP3 service (qmail-popup, qmail-pop3d): * RFC 1939 * UIDL support * TOP support * APOP hook * modular password checking (checkpassword, available separately) -------------------------------------------------------- 3. Issue qmail-pop3d claims compliance to RFC1939, however this is not the case qmail breaks that compliance by allowing overly long argument lengths to be processed. qmail then passes control to a process without documenting this added bug/feature. 4. Impact A remote attacker may attain the privilege level of the authentication module. Sample exploit code can be found at http://www.ktwo.ca/security.html 5. Recommendation Impose the 40 character limitation specified by RFC1939 into qmail. Apply qmail-popup patch http://www.ktwo.ca/c/qmail-popup-patch 6. References RFC1939 qmail-1.03/BLURB3 -------------------------------------------------------- K2 www.ktwo.ca / ktwo@ktwo.ca