Hi, I've identified a couple of security flaws affecting the NullLogic Groupware which may allow compromise of accounts, denial of service or even remote code execution. These issues were reported by email to the developer but no response was forthcoming. Tim -- Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]> <http://www.nth-dimension.org.uk/> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nth Dimension Security Advisory (NDSA20090413) Date: 13th April 2009 Author: Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]> URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/> Product: Groupware 1.2.7 <http://nullwebmail.sourceforge.net/groupware/> Vendor: NullLogic (Dan Cahill) <http://nullwebmail.sourceforge.net/> Risk: High Summary This advisory comes in 3 related parts: 1) Groupware supports a number of database servers including SQLite and MySQL. During configuration, it is setup to use these for the storage of data including credentials. The functions which access the configured database do not sanitise all input satisfactorily. This can lead to SQL injection allowing compromise of the Groupware server. 2) Groupware includes fully featured forum which is available to authenticated users. The functions called by the web application when this is accessed do not validate all input satisfactorily. It is possible to supply malformed data as one of the parameters which causes an exception allowing a denial of service condition to be affected. 3) When Groupware is configured to use the PostgreSQL database server backend, a programming error within the database functions of the POP3, SMTP and web components of Groupware may allow longer than expected strings to be written to the stack. This could lead to a stack overflow allowing compromise of the Groupware server. Technical Details 1) Groupware typically calls the sql_queryf function when talking to the database server. As with printf and friends, this takes a C format string and other parameters specific to the operation and constructs an SQL query which is then passed to the appropriate database function. For example, from the Groupware web application (which is typically found on port 4110), the user is presented with a login page. When an attempt is made to login, queries are generated by the auth_checkpass function as follows: if ((sqr=sql_queryf(sid, "SELECT userid, password FROM gw_users WHERE username = '%s' and enabled > 0", sid->dat->user_username))<0) { Since we can control the value of sid->dat->user_username from the username parameter of requests to the login page we can influence the actual SQL query which is executed by the database server which is insufficiently sanitised. Note that a significant percentage of all database calls are susceptible as described. 2) The Groupware web application's forum module takes a parameter to select the forum that the user wishes to access. The parameter is incorrectly validated leading to an exception being thrown when the fmessagelist function is passed with a forum parameter of either an empty or a non-numeric string. 3) Consider the following function which is called when Groupware is configured to use a PostgreSQL database server: int pgsqlQuery(CONN *sid, int sqr, char *sqlquery) { ... char query[8192]; ... memset(query, 0, sizeof(query)); snprintf(query, sizeof(query)-1, "DECLARE myportal CURSOR FOR "); strncat(query, sqlquery, sizeof(query)); ... } As you can see, it allocates a 8192 byte buffer for query on the stack and proceeds to construct an SQL query. The problem lies in that it starts the string construction with a fixed length string of 28 bytes before concatenating up to 8192 bytes (the size of query previously allocated on the stack. The total amount of data written to the stack (8220 bytes) is therefore greater than that which was initially allocated. In theory this could lead to the previous functions base pointer (%ebp) and return address (%eip) being blown away if a the value of sqlquery passed is longer than 8163 bytes. Note this code can be found in a number of locations within the Groupware source. Solutions Unfortunately, Nth Dimension are unware of any fixes for these issues at the current time. The developer was contacted on Monday, 13th April 2009 but no response was forthcoming. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBAgAGBQJKUUP2AAoJEPJhpTVyySo7+iUP/R7tvEdxYBLlOv42ht2ef34a BgGPDjFs+1fVkLTpducaQrh+UTBZ32bQUDaesyQ2TQ2kzQ0MvP5iGTk6cMVQe3Wk e1xF6R+8jbVMqX2oFSOFa7FzDDr8GotRG+eNgEEFARVuPdyFWB/lBZw0pNW0gMfN wV5sbFN5lubObmtBt03AkpFj9vFsv9N5HN0dRKyk4HoshalYsr2l3Z++LZB0PTsM q/Do8q5CRw5D+5cRXdZmsWEP5I1NMCFnhyjgSxrM8agq1C5znQSwdQFyng41oeY+ jEIyOx8uGtqLtOMQ+DEsp0iyejbxcQnmJNv1Uko4wh34h1UNfZ3Buh1TbmqLbzBZ KzOA91MY4kZB2meyZqm5FEjlBtXblyIlaWve8bgcm5tu/7yw51g4GxkMvrFYZvfP /6F7U9rJ2+2NK/zCSlDfkn03aIPoduQUC2iZWoS/Q5XlEXCz6jOkO/oHqKk8S2sl 4H1ewt+z5+b/zmC7VROcuavI6e9TCYpsw9tuAFV0UiJVlTi8iO16SfpmfrG9RwYE ddjg71bBRvdUO/AYxBvDLHV+yiSZ1jVBpHOgPunBzedI7uBFIyVWy9qpUqVMtBsu OgjNQ0jmreQ8bjxAr8J5oSjkdTmnQO7KCGntTHGXxdR77SeYPI+/FOHXZ5OqXJmu KC/vBPrQL8LBvzOf79LQ =X7sF -----END PGP SIGNATURE----- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAABAgAGBQJKUUpvAAoJEPJhpTVyySo7pzAQAJsKWwOLtk5CuTKD4k1Bydch qPTsk2dQLMWPhlRpLAD09Z01ItXWEEVhJ9usWX9RTGA1VA87xcCReG5hegBVmZPp t3jju11oM3G/AP5HX5ypQ8zrqrYII8INNPkf/sTfoWwIBs6LKY+JXVvGpVCW01ug t9KDLYp7gvfAdjr0AIhG45RUIbXKRVxVSnw4mplDP6rvjw2QBiS+t1xJVmVf0Yr3 0UFYQ3JhFugjjXeNBxtzj5OEQrPfhst1IdYK3zZZvHKp0uI+56reUMS1qcEhdx0w VY1RABGMiIvcH3Y035emOcGY/ph9DJcyJ9wsYa3GGIBOxTsTuIAO+DlxNeXYqk78 59MZPBXStqA+stAj1WcImp/3+lKfbe1k7+ktcnuZcorZ8pT1l5gl9LR578fgq888 eJPXDxIxJ1SLVZ3vVv6IDtsXY9zQojQ+dirR3a9+d6R/azH/5q6NuEKeorhcSIlv eMUA+ecScnaPAW1WzKLQX/RtddN73C+Wgw9yc0TtG5zAZwoy4eq1m4r5CBgHC/Kb 9g6V9JL92/D2egieysi3T54cgtXexEh3y62VzWE8RvWSMRlxz350tHY/YRdpLADM IIfuofaul+3cCKUgufSpAb6JbYKN9HxMaNOBGFyrHeGUqT1sjIawlbyW5j/xdQCo KA9aQVf7vj2CpOs0ygqv =+VgE -----END PGP SIGNATURE-----