Mon May 28 13:55:32 EEST 2018

Stories from the past: the qmail-smtpd on freebsd exploit


Stories from the past: the qmail-smtpd on freebsd exploit

The qmail smtpd exploit on freebsd is probably the most bragable 
of my exploits. The advisory is at [1] and is rather short.
Don't remember it is so because of "if it was hard to write, it must be
hard to understand".

I don't like this exploit much, the *BSD kernel stuff is better IMHO.

The provably exploitable part of the advisory is:
---
char *p;
int i; /*XXX signed int*/
...
p[i]=0;
---

In case $i$ is negative, this is out of bounds write. It is not
integer overflow, more like memory corruption.

The process of discovery was rational [^2] dirty labour:
1. analyze
2. test
3. in case of failure (almost surely it fails) repeat
4. return SUCCESS

The process took _long_. Temporary gave up several times, until I
pressed the lucky keys.

Exploitability required about 20GB of virtual memory.

djb basically replied: "This is not a bug, this is a feature. Nobody gives so
much virtual memory to qmail".

The strongest counterclaims to djb's answer are:
1. The installation instructions don't mention limits
2. In the future libc alone can become larger than the limits

[1] http://www.guninski.com/where_do_you_want_billg_to_go_today_4.html
[^2]: in math irrational and transcendental stuff are more interesting
than rational stuff.


Posted by qmail-smtpd | Permanent link