w00w00 Security Advisory - http://www.w00w00.org/

Title: qmail-pop3d with vpopmail/vchkpw
Platforms: Any
Discovered: 7th January, 2000
Local: Yes.
Remote: Yes.
Author: K2 ktwo@ktwo.ca
Vendor: Notified.
Last Updated: N/A

1. Overview

qmail-pop3d may pass an overly long command argument to its password
authentication service. When vpopmail is used to authenticate user
information a remote attacker may compromise the privilege level that
vpopmail is running, naturally root.

2. Background

It is Qmail's nonconformance to the pop3 specification that allows
this bug to manifest itself. qmail-pop3d trust's that its checkpassword mechanism
will support the same undocumented "features" as it dose, it
is this extra functionality that breaks vpopmail and RFC1939.

>From RFC1939 [Post Office Protocol - Version 3]

Commands in the POP3 consist of a caseinsensitive keyword, possibly
followed by one or more arguments. All commands are terminated by a
CRLF pair. Keywords and arguments consist of printable ASCII
characters. Keywords and arguments are each separated by a single
SPACE character. Keywords are three or four characters long. Each
argument may be up to 40 characters long.

>From BLURB3 (qmail-1.03)
POP3 service (qmail-popup, qmail-pop3d):
* RFC 1939
* UIDL support
* TOP support
* APOP hook
* modular password checking (checkpassword, available separately)

3. Issue

qmail-pop3d claims compliance to RFC1939, however this is not the case
qmail breaks that compliance by allowing overly long argument lengths
to be processed. qmail then passes control to a process without
documenting this added bug/feature.

4. Impact

A remote attacker may attain the privilege level of the authentication module.
Sample code can be found at http://www.ktwo.ca/security.html

5. Recommendation

Impose the 40 character limitation specified by RFC1939 into qmail, and vpopmail.

6. References


email me