QMail Commands() Function Remote Integer Overflow Vulnerability
BID:13535
Info
QMail Commands() Function Remote Integer Overflow Vulnerability
| Bugtraq ID: | 13535 |
| Class: | Design Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 06 2005 12:00AM |
| Updated: | May 06 2005 12:00AM |
| Credit: | Georgi Guninski <[email protected]> disclosed this vulnerability. |
| Vulnerable: |
Dan Bernstein QMail 1.0 3 Dan Bernstein QMail 1.0 2 |
| Not Vulnerable: | |
Discussion
QMail Commands() Function Remote Integer Overflow Vulnerability
QMail is susceptible to a remote integer overflow vulnerability in the commands() function.
Specifically, the commands() function can be coerced into overflowing an integer value, resulting in overwriting an unintended location with a NULL byte. This may only be possible in environments where more than 4 gigabytes of virtual memory is available, such as 64 bit systems.
This vulnerability may be exploited to execute arbitrary machine code in the context of the affected application.
QMail is susceptible to a remote integer overflow vulnerability in the commands() function.
Specifically, the commands() function can be coerced into overflowing an integer value, resulting in overwriting an unintended location with a NULL byte. This may only be possible in environments where more than 4 gigabytes of virtual memory is available, such as 64 bit systems.
This vulnerability may be exploited to execute arbitrary machine code in the context of the affected application.
Exploit / POC
QMail Commands() Function Remote Integer Overflow Vulnerability
A proof of concept denial of service exploit for this issue is provided at:
http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
The integrity of this external Web site is not guaranteed by Symantec.
The 'qpopup2.pl' proof of concept exploit has been added to this web site. This exploit demonstrates remote code execution.
A proof of concept denial of service exploit for this issue is provided at:
http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
The integrity of this external Web site is not guaranteed by Symantec.
The 'qpopup2.pl' proof of concept exploit has been added to this web site. This exploit demonstrates remote code execution.
Solution / Fix
QMail Commands() Function Remote Integer Overflow Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
QMail Commands() Function Remote Integer Overflow Vulnerability
References:
References:
- 64 bit qmail fun (Georgi Guninski
) - Qmail Homepage (Dan Bernstein)