-= Unl0ck Team Security Advisory =-

        ____ ___       __  _______           __      ___________
       |    |   \____ |  | \   _  \    ____ |  | __  \__    ___/___ _____    _____
       |    |   /    \|  | /  /_\  \_ / ___\|  |/ /    |    |_/ __ \\__  \  /     \
       |    |  /   |  \  |_\  \_/   \  \___ |    <     |    |\  ___/ / __ \|  Y Y  \
       |______/|___|  /____/\_____  /\_____ >__|_ \    |____| \___  >____  /__|_|  /
                    \/            \/       \/    \/               \/     \/      \/
                         ... the best way of protection is attack
                         
                  http://unl0ck.net.ru || http://unl0ck.blackhatz.info
                  
Advisory          : #6 by unl0ck team
Product           : vpopmail (latest version and older)
Vendor            : http://sourceforge.net/projects/vpopmail
Date              : 19.09.2004
Impact            : format string vulnerability
Advisory URL      : http://unl0ck.blackhatz.info/advisories/vpopmail2.txt or http://unl0ck.net.ru/advisories/vpopmail2.txt

-=[ Overview

Vpopmail is a set of programs for creating and managing
multiple virtual domains on a qmail server.

  ]=-
  
-=[ Vulnerability

In vactivedir.c I found format string vulnerability. In vulnerable function use fprintf() function to copy data to the file.
See:

int vdel_ip_map( char *ip, char *domain)
{
FILE *fs;
FILE *fs1;
...
while( fgets(tmpbuf, 156, fs) != NULL )
{
strncpy(tmpbuf1,tmpbuf, 156);
...
fprintf(fs1, tmpbuf1); // <= format string bug!!!
...
}

Data copying to the file without format string checking...
To avoid bug use this:

fprintf(fs1, "%s", tmpbuf1);

Tom (author of vpopmail) said that he is patched this bug, and bugfixed will be in
the upcoming 5.4.7 release.

Ok, waiting new version...

  ]=-
  
I don't want to public exploit to avoid kids usage.

-=[ Credits

Found this bug - D4rk Eagle
mailto:darkeagle@list.ru
  ]=-