Security researchers from Qualys opportunity vulnerabilities in the qmail mail server, since 2005 (CVE-2005-1513), but left unpatched because the qmail author argued that it was unrealistic to create a working exploit that could be used to attack systems in the default configuration. Qualys managed to prepare an exploit that refutes this assumption and allows initiating remote code execution on the server by sending a specially designed message.
The problem is caused by an integer overflow in the strralloc_readyplus() function that can occur when processing a very large message. For operation, a 64-bit system with more than 4GB of virtual memory was required. In the initial analysis of the vulnerability in 2005, Daniel J. Bernstein argued that the assumption in the code that the size of the allocated array always fits into a 32-bit value is based on the fact that no one provides gigabytes of memory to each process. Over the past 15 years, 64-bit systems on servers have supplanted 32-bit systems, and the amount of memory supplied and network bandwidth have grown dramatically.
The maintainers of the qmail packages took into account Bernstein's remark and limited the available memory when starting the qmail-smtpd process (for example, in Debian 10 a limit of 7MB is set). But engineers from Qualys found out that this is not enough, and in addition to qmail-smtpd, a remote attack can be carried out on the qmail-local process, which remained unrestricted in all tested packages. As evidence, an exploit prototype was prepared, suitable for attacking the Debian-supplied package with qmail in the default configuration.
To organize remote code execution during an attack, 4GB of free disk space and 8GB of RAM are required on the server.
The exploit allows you to run any shell commands with the rights of any user in the system, except for root and system users who do not have their own subdirectory in the "/home" directory (the qmail-local process is launched with the rights of the local user to whom the delivery is made).
The attack is underway
by sending a very large mail message, including several lines in the header, about 4GB and 576MB in size. Processing such a string in qmail-local results in an integer overflow when trying to deliver a message to a local user. An integer overflow then causes a buffer overflow while copying data and the possibility of overwriting memory pages with libc code. Through manipulations with the layout of the transmitted data, it is possible, among other things, to rewrite the address of the “open()” function, replacing it with the address of the “system()” function.
Next, in the process of calling qmesearch () in qmail-local, the file ".qmail-extension" is opened through the open () function, which leads to the actual launch of the function
system(".qmail-extension"). But since the "extension" part of the file is generated based on the address of the recipient (for example, "localuser-extension@localdomain"), attackers can arrange for the command to be sent to run by specifying the user "localuser-;command;@localdomain" as the recipient of the message.
The analysis of the code also revealed two vulnerabilities in the qmail-verify additional patch, which is part of the Debian package. First vulnerability () allows you to bypass email verification, and the second () leaks local information. In particular, the first vulnerability allows bypassing the validation of the address used in the exploit to send the command (the check does not work for addresses without a domain, such as "localuser-;command;"). The second vulnerability can be used to check the existence of files and directories in the system, including those accessible only to root (qmail-verify is run as root), through a direct call to the local handler.
To work around the problem, Bernstein recommended running qmail processes with a total limit on available memory ("softlimit -m12345678"), in which case the problem is blocked. It also mentions limiting the maximum size of a message to be processed via the "control/databytes" file as an alternative security measure (not created by default, with default settings qmail remains vulnerable). Also, "control/databytes" does not protect against local attacks by users of the system, as the limit is only enforced by qmail-smtpd.
The problem affects the package , included in the Debian repositories. A set of patches has been prepared for this package, eliminating both old vulnerabilities of 2005 (by adding hard memory limits to the alloc() function code) and new problems in qmail-verify. Separately updated version of the qmail-verify patch. Developers prepared their patches to block old problems, and also started work on eliminating all possible integer overflows in the code.
Source: opennet.ru