From owner-freebsd-hackers@FreeBSD.ORG Mon Jan 19 05:27:40 2004 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9DF1516A4CE for ; Mon, 19 Jan 2004 05:27:40 -0800 (PST) Received: from mail.rdstm.ro (mail.rdstm.ro [193.231.233.2]) by mx1.FreeBSD.org (Postfix) with ESMTP id 801D243D31 for ; Mon, 19 Jan 2004 05:27:38 -0800 (PST) (envelope-from aanton@reversedhell.net) Received: from reversedhell.net (casa_auto [81.196.32.25]) by mail.rdstm.ro (8.12.10/8.12.1) with ESMTP id i0JDRaJU002274; Mon, 19 Jan 2004 15:27:36 +0200 Message-ID: <400BDB6E.3040100@reversedhell.net> Date: Mon, 19 Jan 2004 15:28:14 +0200 From: Anton Alin-Adrian User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.6b) Gecko/20031212 Thunderbird/0.4 X-Accept-Language: en-us, en MIME-Version: 1.0 To: freebsd-hackers@freebsd.org, clau@reversedhell.net, support@psoft.net, support@rdsnet.ro, support@calpop.com, root@lasting.ro, gratian.nutiu@rdsnet.ro References: <400BD0CE.6050609@reversedhell.net> <400BD1D3.10201@reversedhell.net> In-Reply-To: <400BD1D3.10201@reversedhell.net> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: qmail remote root patch X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 19 Jan 2004 13:27:40 -0000 Anton Alin-Adrian wrote: > Anton Alin-Adrian wrote: > >> Regarding latest qmail vulnerability, I coded this quickly patch. >> Please double-check me if I am wrong here. Forward this to >> freebsd-security please. >> >> >> Regards, >> Alin. >> >> ------------------------------------------------------------------------ >> >> 320c320 >> < ++pos; >> --- >> >> >>> if (pos>9) ++pos; >>> >>> ------------------------------------------------------------------------ >>> >>> >>> _______________________________________________ >>> freebsd-hackers@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-hackers >>> To unsubscribe, send any mail to >>> "freebsd-hackers-unsubscribe@freebsd.org" >>> >> > I forgot to mention about vuln: > > http://www.guninski.com/qmailcrash.html > Actually that was utterly wrong. I think this works: bash-2.05b$ diff -a qmail-smtpd.c qmail-smtpd-patched.c 318a319 > ++pos; 320d320 < ++pos; The patched function will look like: void blast(hops) int *hops; { char ch; int state; int flaginheader; int pos; /* number of bytes since most recent \n, if fih */ int flagmaybex; /* 1 if this line might match RECEIVED, if fih */ int flagmaybey; /* 1 if this line might match \r\n, if fih */ int flagmaybez; /* 1 if this line might match DELIVERED, if fih */ state = 1; *hops = 0; flaginheader = 1; pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; for (;;) { substdio_get(&ssin,&ch,1); if (flaginheader) { if (pos < 9) { if (ch != "delivered"[pos]) if (ch != "DELIVERED"[pos]) flagmaybez = 0; if (flagmaybez) if (pos == 8) ++*hops; if (pos < 8) if (ch != "received"[pos]) if (ch != "RECEIVED"[pos]) flagmaybex = 0; if (flagmaybex) if (pos == 7) ++*hops; if (pos < 2) if (ch != "\r\n"[pos]) flagmaybey = 0; if (flagmaybey) if (pos == 1) flaginheader = 0; ++pos; } if (ch == '\n') { pos = 0; flagmaybex = flagmaybey = flagmaybez = 1; } } switch(state) { case 0: if (ch == '\n') straynewline(); if (ch == '\r') { state = 4; continue; } break; case 1: /* \r\n */ if (ch == '\n') straynewline(); if (ch == '.') { state = 2; continue; } if (ch == '\r') { state = 4; continue; } state = 0; break; case 2: /* \r\n + . */ if (ch == '\n') straynewline(); if (ch == '\r') { state = 3; continue; } state = 0; break; case 3: /* \r\n + .\r */ if (ch == '\n') return; put("."); put("\r"); if (ch == '\r') { state = 4; continue; } state = 0; break; case 4: /* + \r */ if (ch == '\n') { state = 1; break; } if (ch != '\r') { put("\r"); state = 0; } } put(&ch); } } So what I did is move ++pos; into the if (pos < 9) block. Originally it is right after the } ending that block. This works if pos gets incremented as pos=1,2,.....9,10,...,max,...,upper-overflow(negative). This utterly fails if pos is not incremented like that. Any ideas? I think it works, after a first look at the incrementation loop. Sorry for all other mails, I am stressed . (need to calm down i know) Alin.