5Vpopmail/QmailAdmin User’s Quota Multiple Integer Overflows
Author: Jacobo Avariento Gimeno (Sofistic S.L.) [jacobo [at] sofistic.net] Release Date: May 8, 2009 CVE/bugtraq id: Not assigned yet Severity: Low/Medium
Vendor’s Description of Software:
________________________________________
«Vpopmail is a free GPL package developed by Inter7 to provide an easy way to manage virtual email domains and non /etc/passwd email accounts for qmail or postfix mail servers.» [1] «qmailAdmin is a free software package that provides a web interface for managing a qmail system with virtual domains.» [2]
Description of Vulnerability:
________________________________________
Vpopmail and QmailAdmin are prone to several Integer Overflows due that numeric types of more range are needed to store user’s quota nowadays. Using an integer is not enough because gets overflowed when the user has more than 2 Gigabytes in his/her mailbox, furthermore a long integer is neither the solution because a long integer has the same range than an integer in 32-bit machines.
Vulnerable versions:
________________________________________
*ALL*
Analysis of the vulnerable code:
________________________________________
There are several functions/files to fix in vpopmail and qmailadmin:
• vpopmail-5.5.0: quota.c, function quota_percent
• vpopmail-5.5.0: vuserinfo.c, function display_user
• qmailadmin-1.2.12: function quota_to_megabytes
• qmailadmin-1.2.12: function maildirquota.c, wrapreaduserquota, readdomainquota, readuserquota
• …
In general, any variable that holds user’s quota.
Proof of Concept:
________________________________________
Just try to set more than 2GB quota to a user («./vsetuserquota user@domain $((3*1024*1024*1024))») and see with («./vuserinfouser@domain») that the user’s quota usage is always 100%, or with qmailadmin the quota never grows, gets stalled at 2048 MB. Put more than 2 GB of data in a mailbox and see that the quota overflows, i.e. -1114.49 / unlimited.
Solution:
________________________________________
There are no official patches yet, all the sysadmins that use vpopmail/qmailadmin should be aware of this because vendor gave me no date to release a new version or patch. To fix that, no «int» neither «long» neither «off_t» should be used, using a «long long int» fixes only the problem until the near future 🙂 Also, casting is neither a solution when the variable was already overflowed as in newest version (vpopmail 5.5.0: maildirquota.c line 294).
Disclosure Timeline:
________________________________________
20/Apr/2009: Vendor is first time notified. 20/Apr/2009: Vendor responses that was already fixed in 5.5 branch. 23/Apr/2009: Vendor is notified again that the problem was not fixed. 23/Apr/2009: Vendor responses that there is no qmailadmin version compatible with 5.5 branch yet. 29/Apr/2009: Vendor is asked when they are planning to release patch or new version and no response was received. 8/May/2009: Public Disclosure of the vulnerability.
References:
________________________________________
[1] http://www.inter7.com/index.php?page=vpopmail [2] http://www.inter7.com/index.php?page=qmailadmin
This advisory was also published at http://www.sofistic.net/advisories/0901
– Jacobo Avariento Gimeno IT Security Department @ Sofistic Your security, our concern! http://sofistic.net
«En los momentos débiles, las acciones más fuertes»
0 comentarios