Security Advisory 06 – 060 – SurgeMail is prone to a
format string vulnerability
Vulnerability discovery and development:
Portcullis Security Testing Services discovered this vulnerability.
Further research was then carried out.
Credit for Discovery:
Nico Leidecker – Portcullis Computer Security Ltd.
Version 3.7b8 Linux and maybe previous versions and on other platforms.
SurgeMail offers the ability to charge the recipients a fee for receiving emails from certain addresses. As soon as such an email comes in, a notification email containing the amount payable is composed and sent to the user requesting payment. A user with the privileges allowing them to change these amounts is then able to exploit a format string vulnerability, caused by the abdiction of an explicit format string while using the amount value as parameter in such a function. Furthermore, the amount value can consist of arbitrary characters.
An attacker could cause a Denial of Service or execute arbitrary code in the context of the server.
The proof of concept exploit code is available.
Vendor notified. The vulnerability has been fixed.