Date: Tue, 22 May 2001 01:28:57 +0100 From: Marc Rogers <marcr@shady.org> To: freebsd-security@freebsd.org Subject: Re: Qmail + FreeBSD 4.3 Message-ID: <20010522012857.R366@shady.org> In-Reply-To: <INECLODDPGBFIAKPNFKHGENCCBAA.subscribed@de-net.org>; from subscribed@de-net.org on Mon, May 21, 2001 at 12:27:34PM -0700 References: <44ae4669z0.fsf@lowellg.ne.mediaone.net> <INECLODDPGBFIAKPNFKHGENCCBAA.subscribed@de-net.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, May 21, 2001 at 12:27:34PM -0700, Dan Graaff wrote:
> Hello all..
>
Hello
> After the recent hacking of my affiliate, I'm starting to get worried about
> my own qmail boxes. One of them has had no errors for a month, now I'm
> starting to get these in my root mailers:
>
> xxxxxxx.xxxxxxxxxxx.xxx kernel log messages:
> > ^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^PM-^P
> > pid 28411 (vdelivermail), uid 89: exited on signal 11 (core dumped)
> > pid 28548 (vdelivermail), uid 89: exited on signal 11 (core dumped)
> > pid 36631 (vdelivermail), uid 89: exited on signal 11 (core dumped)
<SNIP>
>
> Any thoughts? Help?
Well it wont be the first time that a virtual domains package has had
an overflow of some kind in it. Infact if memory serves me correctly
this was the same virtual domains package that had a hole in it that was
released to bugtraq last year.
looking at the most recent version of vpopmail.....
bash-2.04$ grep sprintf vdelivermail.c|wc -l
20
and a quick grep for two of the buffers found reveals....
vdelivermail.c: char tmp_buf[256];
configure:char tmpbuf[100];
I would suggest that this code has all the right conditions for a nasty
buffer overflow. I havent got the time to read through it tonight, as its 1am
and im too tired to be interested though.
To be honest though, what you are seeing in your logs is more likely to be
this code puking on something in mail, as its happening a little too
frequently to be an attacker. [What sort of time lapse is there between those
segfaults?] I definately wouldnt rule out the possibility though.
I would seriously think about a different virtual domains package.
That code looks dangerous.
>
> -Dan Graaff / Digital
>
>
Marc Rogers
Technical Director
European Data Corporation
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010522012857.R366>