-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Nth Dimension Security Advisory (NDSA20090413) Date: 13th April 2009 Author: Tim Brown URL: / Product: Groupware 1.2.7 Vendor: NullLogic (Dan Cahill) Risk: High Summary This advisory comes in 3 related parts: 1) Groupware supports a number of database servers including SQLite and MySQL. During configuration, it is setup to use these for the storage of data including credentials. The functions which access the configured database do not sanitise all input satisfactorily. This can lead to SQL injection allowing compromise of the Groupware server. 2) Groupware includes fully featured forum which is available to authenticated users. The functions called by the web application when this is accessed do not validate all input satisfactorily. It is possible to supply malformed data as one of the parameters which causes an exception allowing a denial of service condition to be affected. 3) When Groupware is configured to use the PostgreSQL database server backend, a programming error within the database functions of the POP3, SMTP and web components of Groupware may allow longer than expected strings to be written to the stack. This could lead to a stack overflow allowing compromise of the Groupware server. Technical Details 1) Groupware typically calls the sql_queryf function when talking to the database server. As with printf and friends, this takes a C format string and other parameters specific to the operation and constructs an SQL query which is then passed to the appropriate database function. For example, from the Groupware web application (which is typically found on port 4110), the user is presented with a login page. When an attempt is made to login, queries are generated by the auth_checkpass function as follows: if ((sqr=sql_queryf(sid, "SELECT userid, password FROM gw_users WHERE username = '%s' and enabled > 0", sid->dat->user_username))<0) { Since we can control the value of sid->dat->user_username from the username parameter of requests to the login page we can influence the actual SQL query which is executed by the database server which is insufficiently sanitised. Note that a significant percentage of all database calls are susceptible as described. 2) The Groupware web application's forum module takes a parameter to select the forum that the user wishes to access. The parameter is incorrectly validated leading to an exception being thrown when the fmessagelist function is passed with a forum parameter of either an empty or a non-numeric string. 3) Consider the following function which is called when Groupware is configured to use a PostgreSQL database server: int pgsqlQuery(CONN *sid, int sqr, char *sqlquery) { ... char query[8192]; ... memset(query, 0, sizeof(query)); snprintf(query, sizeof(query)-1, "DECLARE myportal CURSOR FOR "); strncat(query, sqlquery, sizeof(query)); ... } As you can see, it allocates a 8192 byte buffer for query on the stack and proceeds to construct an SQL query. The problem lies in that it starts the string construction with a fixed length string of 28 bytes before concatenating up to 8192 bytes (the size of query previously allocated on the stack. The total amount of data written to the stack (8220 bytes) is therefore greater than that which was initially allocated. In theory this could lead to the previous functions base pointer (%ebp) and return address (%eip) being blown away if a the value of sqlquery passed is longer than 8163 bytes. Note this code can be found in a number of locations within the Groupware source. Solutions Unfortunately, Nth Dimension are unware of any fixes for these issues at the current time. The developer was contacted on Monday, 13th April 2009 but no response was forthcoming. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iQIcBAEBAgAGBQJKUUP2AAoJEPJhpTVyySo7+iUP/R7tvEdxYBLlOv42ht2ef34a BgGPDjFs+1fVkLTpducaQrh+UTBZ32bQUDaesyQ2TQ2kzQ0MvP5iGTk6cMVQe3Wk e1xF6R+8jbVMqX2oFSOFa7FzDDr8GotRG+eNgEEFARVuPdyFWB/lBZw0pNW0gMfN wV5sbFN5lubObmtBt03AkpFj9vFsv9N5HN0dRKyk4HoshalYsr2l3Z++LZB0PTsM q/Do8q5CRw5D+5cRXdZmsWEP5I1NMCFnhyjgSxrM8agq1C5znQSwdQFyng41oeY+ jEIyOx8uGtqLtOMQ+DEsp0iyejbxcQnmJNv1Uko4wh34h1UNfZ3Buh1TbmqLbzBZ KzOA91MY4kZB2meyZqm5FEjlBtXblyIlaWve8bgcm5tu/7yw51g4GxkMvrFYZvfP /6F7U9rJ2+2NK/zCSlDfkn03aIPoduQUC2iZWoS/Q5XlEXCz6jOkO/oHqKk8S2sl 4H1ewt+z5+b/zmC7VROcuavI6e9TCYpsw9tuAFV0UiJVlTi8iO16SfpmfrG9RwYE ddjg71bBRvdUO/AYxBvDLHV+yiSZ1jVBpHOgPunBzedI7uBFIyVWy9qpUqVMtBsu OgjNQ0jmreQ8bjxAr8J5oSjkdTmnQO7KCGntTHGXxdR77SeYPI+/FOHXZ5OqXJmu KC/vBPrQL8LBvzOf79LQ =X7sF -----END PGP SIGNATURE-----