Security researchers from Qualys
The problem is caused by an integer overflow in the strralloc_readyplus() function that can occur when processing a very large message. For operation, a 64-bit system with more than 4GB of virtual memory was required. In the initial analysis of the vulnerability in 2005, Daniel J. Bernstein argued that the assumption in the code that the size of the allocated array always fits into a 32-bit value is based on the fact that no one provides gigabytes of memory to each process. Over the past 15 years, 64-bit systems on servers have supplanted 32-bit systems, and the amount of memory supplied and network bandwidth have grown dramatically.
The maintainers of the qmail packages took into account Bernstein's remark and limited the available memory when starting the qmail-smtpd process (for example, in Debian 10 a limit of 7MB is set). But engineers from Qualys found out that this is not enough, and in addition to qmail-smtpd, a remote attack can be carried out on the qmail-local process, which remained unrestricted in all tested packages. As evidence, an exploit prototype was prepared, suitable for attacking the Debian-supplied package with qmail in the default configuration.
To organize remote code execution during an attack, 4GB of free disk space and 8GB of RAM are required on the server.
The exploit allows you to run any shell commands with the rights of any user in the system, except for root and system users who do not have their own subdirectory in the "/home" directory (the qmail-local process is launched with the rights of the local user to whom the delivery is made).
The attack is underway
by sending a very large mail message, including several lines in the header, about 4GB and 576MB in size. Processing such a string in qmail-local results in an integer overflow when trying to deliver a message to a local user. An integer overflow then causes a buffer overflow while copying data and the possibility of overwriting memory pages with libc code. Through manipulations with the layout of the transmitted data, it is possible, among other things, to rewrite the address of the “open()” function, replacing it with the address of the “system()” function.
Next, in the process of calling qmesearch () in qmail-local, the file ".qmail-extension" is opened through the open () function, which leads to the actual launch of the function
system(".qmail-extension"). But since the "extension" part of the file is generated based on the address of the recipient (for example, "localuser-extension@localdomain"), attackers can arrange for the command to be sent to run by specifying the user "localuser-;command;@localdomain" as the recipient of the message.
The analysis of the code also revealed two vulnerabilities in the qmail-verify additional patch, which is part of the Debian package. First vulnerability (
To work around the problem, Bernstein recommended running qmail processes with a total limit on available memory ("softlimit -m12345678"), in which case the problem is blocked. It also mentions limiting the maximum size of a message to be processed via the "control/databytes" file as an alternative security measure (not created by default, with default settings qmail remains vulnerable). Also, "control/databytes" does not protect against local attacks by users of the system, as the limit is only enforced by qmail-smtpd.
The problem affects the package
Source: opennet.ru