####################################################################### Luigi Auriemma Application: SurgeMail Mail Server http://netwinsite.com/surgemail/ Netwin's WebMail http://netwinsite.com/webmail/ Versions: SurgeMail <= 38k4 and beta 39a Netwin's WebMail <= 3.1s (only bug A) Platforms: Windows, Linux, FreeBSD, MacOSX and Solaris Bugs: A] format string in webmail.exe's page command B] buffer-overflow in the building of environment strings Exploitation: remote Date: 25 Feb 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== SurgeMail is a well known commercial multiplatform mail server which supports many protocols. ####################################################################### ======= 2) Bugs ======= ---------------------------------------------- A] format string in webmail.exe's page command ---------------------------------------------- The CGI used for the handling of the webmail interface (webmail.exe) is affected by a format string vulnerability in the function which builds the error message when a wrong page is requested and passes it directly to lvprintf without the needed format argument: "TPL: Failed to Locate Template {c:\surgemail\webmail\panel\%s%s%s%s%s%s.tpl}{2=No such file or directory}" Sample URL for exploiting the vulnerability: http://SERVER/scripts/webmail.exe?page=%n%n%n%s%s%s%s --------------------------------------------------------- B] buffer-overflow in the building of environment strings --------------------------------------------------------- A buffer overflow vulnerability is located in the function which handles the real CGI executables (which must be not confused with the .cgi virtual files like user.cgi, admin.cgi and so on). When the server receives a HTTP request for a real CGI (like for example webmail.exe) it uses a buffer of about 20000 bytes for storing all the environment strings which will be passed to the called program. The HTTP fields passed by the client in his request are truncated at 200 bytes for the parameter and 800 for its value and are added as environment variables (HTTP_parameter=value). The lack of checks on the size of this environment buffer leads to a buffer-overflow, anyway although is possible to control some registers code execution is not certain. Naturally both the surgemail and the swatch (port 7027) processes are affected by this vulnerability. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/surgemailz.zip ####################################################################### ====== 4) Fix ====== No fix #######################################################################