Date: Tue, 22 May 2001 01:28:57 +0100 From: Marc Rogers <marcr@shady.org> To: freebsd-security@freebsd.org Subject: Re: Qmail + FreeBSD 4.3 Message-ID: <20010522012857.R366@shady.org> In-Reply-To: <INECLODDPGBFIAKPNFKHGENCCBAA.subscribed@de-net.org>; from subscribed@de-net.org on Mon, May 21, 2001 at 12:27:34PM -0700 References: <44ae4669z0.fsf@lowellg.ne.mediaone.net> <INECLODDPGBFIAKPNFKHGENCCBAA.subscribed@de-net.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 21, 2001 at 12:27:34PM -0700, Dan Graaff wrote: > Hello all.. > Hello > After the recent hacking of my affiliate, I'm starting to get worried about > my own qmail boxes. One of them has had no errors for a month, now I'm > starting to get these in my root mailers: > > xxxxxxx.xxxxxxxxxxx.xxx kernel log messages: > > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P > > pid 28411 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > pid 28548 (vdelivermail), uid 89: exited on signal 11 (core dumped) > > pid 36631 (vdelivermail), uid 89: exited on signal 11 (core dumped) <SNIP> > > Any thoughts? Help? Well it wont be the first time that a virtual domains package has had an overflow of some kind in it. Infact if memory serves me correctly this was the same virtual domains package that had a hole in it that was released to bugtraq last year. looking at the most recent version of vpopmail..... bash-2.04$ grep sprintf vdelivermail.c|wc -l 20 and a quick grep for two of the buffers found reveals.... vdelivermail.c: char tmp_buf[256]; configure:char tmpbuf[100]; I would suggest that this code has all the right conditions for a nasty buffer overflow. I havent got the time to read through it tonight, as its 1am and im too tired to be interested though. To be honest though, what you are seeing in your logs is more likely to be this code puking on something in mail, as its happening a little too frequently to be an attacker. [What sort of time lapse is there between those segfaults?] I definately wouldnt rule out the possibility though. I would seriously think about a different virtual domains package. That code looks dangerous. > > -Dan Graaff / Digital > > Marc Rogers Technical Director European Data Corporation To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010522012857.R366>