< back to advisories

SurgeMail 3.7b8 Format String Vulnerability

Portcullis Security Advisory 06-060

Vulnerable System:


Vulnerability Title:

SurgeMail is prone to a format string vulnerability.

Vulnerability discovery and development: 

Portcullis Security Testing Services discovered this vulnerability. 
Further research was then carried out.

Credit For Discovery:

Nico Leidecker - Portcullis Computer Security Ltd.

Affected systems: 

Version 3.7b8 Linux and maybe previous versions and on other platforms.


SurgeMail offers the ability to charge the recipients a fee for receiving 
emails from certain addresses. As soon as such an email comes in, a 
notification email containing the amount payable is composed and sent to the 
user requesting payment.  A user with the privileges allowing them to change 
these amounts is then able to exploit a format string vulnerability, caused by 
the abdiction of an explicit format string while using the amount value as 
parameter in such a function. Furthermore, the amount value can consist of 
arbitrary characters.


An attacker could cause a Denial of Service or execute arbitrary code in the 
context of the server.


The proof of concept exploit code is available.

Vendor Status:

Vendor notified. The vulnerability has been fixed.


Copyright © Portcullis Computer Security Limited 2005, All rights reserved 

Permission is hereby granted for the electronic redistribution of this 
information. It is not to be edited or altered in any way without the express 
written consent of Portcullis Computer Security Limited.


The information herein contained may change without notice. Use of this 
information constitutes acceptance for use in an AS IS condition. There are NO 
warranties, implied or otherwise, with regard to this information or its use. 
Any use of this information is at the user's risk. In no event shall the 
author/distributor (Portcullis Computer Security Limited) be held liable for 
any damages whatsoever arising out of or in connection with the use or spread 
of this information.