Vulnerabilities > CVE-2007-5740 - USE of Externally-Controlled Format String vulnerability in Vergenet Perdition Mail Retrieval Proxy
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
The format string protection mechanism in IMAPD for Perdition Mail Retrieval Proxy 1.17 and earlier allows remote attackers to execute arbitrary code via an IMAP tag with a null byte followed by a format string specifier, which is not counted by the mechanism.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Format String Injection An attacker includes formatting characters in a string input field on the target application. Most applications assume that users will provide static text and may respond unpredictably to the presence of formatting character. For example, in certain functions of the C programming languages such as printf, the formatting character %s will print the contents of a memory location expecting this location to identify a string and the formatting character %n prints the number of DWORD written in the memory. An attacker can use this to read or write to memory locations or files, or simply to manipulate the value of the resulting text in unexpected ways. Reading or writing memory may result in program crashes and writing memory could result in the execution of arbitrary code if the attacker can write to the program stack.
- String Format Overflow in syslog() This attack targets the format string vulnerabilities in the syslog() function. An attacker would typically inject malicious input in the format string parameter of the syslog function. This is a common problem, and many public vulnerabilities and associated exploits have been posted.
Exploit-Db
| description | Perdition 1.17 IMAPD __STR_VWRITE Remote Format String Vulnerability. CVE-2007-5740. Dos exploit for linux platform |
| id | EDB-ID:30724 |
| last seen | 2016-02-03 |
| modified | 2007-10-31 |
| published | 2007-10-31 |
| reporter | Bernhard Mueller |
| source | https://www.exploit-db.com/download/30724/ |
| title | Perdition 1.17 IMAPD __STR_VWRITE Remote Format String Vulnerability |
Nessus
NASL family Gain a shell remotely NASL id PERDITION_TAG_FORMAT_STRING.NASL description The remote IMAP service is actually a Perdition IMAP proxy. The version of Perdition installed on the remote host appears to be affected by a format string vulnerability in which it copies the IMAP tag into a character buffer without first validating it and then passes it to last seen 2020-06-01 modified 2020-06-02 plugin id 27598 published 2007-11-01 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27598 title Perdition IMAPD IMAP Tag Remote Format String Arbitrary Code Execution code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(27598); script_version("1.12"); script_cve_id("CVE-2007-5740"); script_bugtraq_id(26270); script_name(english:"Perdition IMAPD IMAP Tag Remote Format String Arbitrary Code Execution"); script_summary(english:"Sends a bogus IMAP tag"); script_set_attribute(attribute:"synopsis", value: "The remote IMAP server is affected by a format string vulnerability." ); script_set_attribute(attribute:"description", value: "The remote IMAP service is actually a Perdition IMAP proxy. The version of Perdition installed on the remote host appears to be affected by a format string vulnerability in which it copies the IMAP tag into a character buffer without first validating it and then passes it to 'vsnprintf()' as a format string. An unauthenticated remote attacker may be able to leverage this issue to execute arbitrary code on the remote host subject to the permissions under which the proxy runs, by default 'nobody'. Note that exploiting this to actually execute code may be difficult due to OS and compiler security features." ); script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/archive/1/483034" ); script_set_attribute(attribute:"solution", value: "Upgrade to Perdition version 1.17.1 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(134); script_set_attribute(attribute:"plugin_publication_date", value: "2007/11/01"); script_cvs_date("Date: 2018/11/15 20:50:22"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_ATTACK); script_family(english:"Gain a shell remotely"); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_dependencies("find_service2.nasl"); script_require_ports("Services/imap", 143); exit(0); } port = get_kb_item("Services/imap"); if (!port) port = 143; if (!get_port_state(port)) exit(0); # Establish a connection and read the banner. soc = open_sock_tcp(port); if (!soc) exit(0); s = recv_line(socket:soc, length:1024); if (!strlen(s)) { close(soc); exit(0); } # Send an invalid command to make sure it's Perdition. c = SCRIPT_NAME; send(socket:soc, data:string(c, "\r\n")); s = recv_line(socket:soc, length:1024); if (!strlen(s)) { close(soc); exit(0); } s = chomp(s); if (string(c, " BAD Missing command, mate") == s) { # Check for the vulnerability. c = raw_string("abc%n", 0x00); send(socket:soc, data:string(c, "\r\n")); s = recv_line(socket:soc, length:1024); if (!strlen(s)) { security_hole(port); exit(0); } } # Logout. send(socket:soc, data: 'a1 LOGOUT\r\n'); s = recv_line(socket:soc, length:1024); close(soc);NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1398.NASL description Bernhard Mueller of SEC Consult has discovered a format string vulnerability in perdition, an IMAP proxy. This vulnerability could allow an unauthenticated remote user to run arbitrary code on the perdition server by providing a specially formatted IMAP tag. last seen 2020-06-01 modified 2020-06-02 plugin id 27628 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27628 title Debian DSA-1398-1 : perdition - format string error code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1398. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(27628); script_version("1.19"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2007-5740"); script_xref(name:"DSA", value:"1398"); script_name(english:"Debian DSA-1398-1 : perdition - format string error"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Bernhard Mueller of SEC Consult has discovered a format string vulnerability in perdition, an IMAP proxy. This vulnerability could allow an unauthenticated remote user to run arbitrary code on the perdition server by providing a specially formatted IMAP tag." ); script_set_attribute( attribute:"see_also", value:"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=448853" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2007/dsa-1398" ); script_set_attribute( attribute:"solution", value: "Upgrade the perdition package. For the old stable distribution (sarge), this problem has been fixed in version 1.15-5sarge1. For the stable distribution (etch), this problem has been fixed in version 1.17-7etch1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(134); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:perdition"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"perdition", reference:"1.15-5sarge1")) flag++; if (deb_check(release:"3.1", prefix:"perdition-dev", reference:"1.15-5sarge1")) flag++; if (deb_check(release:"3.1", prefix:"perdition-ldap", reference:"1.15-5sarge1")) flag++; if (deb_check(release:"3.1", prefix:"perdition-mysql", reference:"1.15-5sarge1")) flag++; if (deb_check(release:"3.1", prefix:"perdition-odbc", reference:"1.15-5sarge1")) flag++; if (deb_check(release:"3.1", prefix:"perdition-postgresql", reference:"1.15-5sarge1")) flag++; if (deb_check(release:"4.0", prefix:"perdition", reference:"1.17-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"perdition-dev", reference:"1.17-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"perdition-ldap", reference:"1.17-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"perdition-mysql", reference:"1.17-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"perdition-odbc", reference:"1.17-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"perdition-postgresql", reference:"1.17-7etch1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_617A40218BF011DCBFFA0016179B2DD5.NASL description SEC-Consult reports : Perdition IMAP is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication. last seen 2020-06-01 modified 2020-06-02 plugin id 27640 published 2007-11-06 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/27640 title FreeBSD : perdition -- str_vwrite format string vulnerability (617a4021-8bf0-11dc-bffa-0016179b2dd5) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from the FreeBSD VuXML database : # # Copyright 2003-2018 Jacques Vidrine and contributors # # Redistribution and use in source (VuXML) and 'compiled' forms (SGML, # HTML, PDF, PostScript, RTF and so forth) with or without modification, # are permitted provided that the following conditions are met: # 1. Redistributions of source code (VuXML) must retain the above # copyright notice, this list of conditions and the following # disclaimer as the first lines of this file unmodified. # 2. Redistributions in compiled form (transformed to other DTDs, # published online in any format, converted to PDF, PostScript, # RTF and other formats) must reproduce the above copyright # notice, this list of conditions and the following disclaimer # in the documentation and/or other materials provided with the # distribution. # # THIS DOCUMENTATION IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS "AS IS" # AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, # THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR # PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS # BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, # OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT # OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR # BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, # WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE # OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS DOCUMENTATION, # EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. # include("compat.inc"); if (description) { script_id(27640); script_version("1.15"); script_cvs_date("Date: 2019/08/02 13:32:38"); script_cve_id("CVE-2007-5740"); script_bugtraq_id(26270); script_xref(name:"Secunia", value:"27458"); script_name(english:"FreeBSD : perdition -- str_vwrite format string vulnerability (617a4021-8bf0-11dc-bffa-0016179b2dd5)"); script_summary(english:"Checks for updated package in pkg_info output"); script_set_attribute( attribute:"synopsis", value:"The remote FreeBSD host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "SEC-Consult reports : Perdition IMAP is affected by a format string bug in one of its IMAP output-string formatting functions. The bug allows the execution of arbitrary code on the affected server. A successful exploit does not require prior authentication." ); # http://www.sec-consult.com/300.html script_set_attribute( attribute:"see_also", value:"https://www.sec-consult.com/300.html" ); # https://vuxml.freebsd.org/freebsd/617a4021-8bf0-11dc-bffa-0016179b2dd5.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?01426f94" ); script_set_attribute(attribute:"solution", value:"Update the affected package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_core", value:"true"); script_cwe_id(134); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:freebsd:freebsd:perdition"); script_set_attribute(attribute:"cpe", value:"cpe:/o:freebsd:freebsd"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/10/31"); script_set_attribute(attribute:"patch_publication_date", value:"2007/11/05"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/06"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"FreeBSD Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/FreeBSD/release", "Host/FreeBSD/pkg_info"); exit(0); } include("audit.inc"); include("freebsd_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/FreeBSD/release")) audit(AUDIT_OS_NOT, "FreeBSD"); if (!get_kb_item("Host/FreeBSD/pkg_info")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (pkg_test(save_report:TRUE, pkg:"perdition<1.17.1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:pkg_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
References
- http://archives.neohapsis.com/archives/fulldisclosure/2007-10/0889.html
- http://secunia.com/advisories/27458
- http://secunia.com/advisories/27520
- http://www.debian.org/security/2007/dsa-1398
- http://www.sec-consult.com/300.html
- http://www.securityfocus.com/archive/1/483034/100/0/threaded
- http://www.securityfocus.com/bid/26270
- http://www.securitytracker.com/id?1018883
- http://www.vergenet.net/linux/perdition/ChangeLog.shtml
- http://www.vupen.com/english/advisories/2007/3677
- https://exchange.xforce.ibmcloud.com/vulnerabilities/38184