CVE-2003-0468
CVSS5.0
发布时间 :2003-08-27 00:00:00
修订时间 :2016-10-17 22:34:09
NMCOS    

[原文]Postfix 1.1.11 and earlier allows remote attackers to use Postfix to conduct "bounce scans" or DDos attacks of other hosts via an email address to the local host containing the target IP address and service name followed by a "!" string, which causes Postfix to attempt to use SMTP to communicate with the target on the associated port.


[CNNVD]Postfix多个远程拒绝服务攻击漏洞(CNNVD-200308-166)

        
        Postfix是一款邮件服务程序。
        Postfix邮件传输代理当前存在两个漏洞,远程攻击者可以利用这些漏洞对服务程序进行拒绝服务攻击或把Postfix作为DDOS攻击代理。
        第一个漏洞是允许攻击者通过"bounce-scan"方法扫描私有保护的网络,攻击者可以提交如下类型的地址 触发:
         <[server_ip]:service!@local-host-name>
        这个地址会使Postfix连接任意IP地址及任意端口进行SMTP对话,对话失败的信息会反回给远程用户,导致敏感信息泄露。使用这个问题可产生拒绝服务攻击,通过使用多个Postfix主机,不停尝试连接特定主机,可导致主机产生拒绝服务。
        此漏洞的CANID为:CAN-2003-0468
        第二个漏洞存在与地址解析代码中,通过提供畸形邮件地址,可触发此漏洞。攻击者可以朴实服务产生一个产生bounce的队列,根据配置,可以为,或者如果用户名被检查的情况下,可以为。"mail from""Errors-To"地址必须为"<.!>"或"<.!@local-server-name>"。当准备bounce时Postfix解析和重写地址时会锁住服务。
        也可以提供合法的"MAIL FROM"进行SMTP会话,但"RCPT TO"提供类似上面所描述的地址,可导致smtp监听程序停止响应。
        

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:wietse_venema:postfix:2000-02-28
cpe:/a:wietse_venema:postfix:1.0.21
cpe:/a:wietse_venema:postfix:1.1.11
cpe:/a:wietse_venema:postfix:2001-11-15
cpe:/o:conectiva:linux:8.0Conectiva Conectiva Linux 8.0
cpe:/a:wietse_venema:postfix:1999-09-06
cpe:/o:conectiva:linux:7.0Conectiva Conectiva Linux 7.0
cpe:/a:wietse_venema:postfix:1999-12-31

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:522Postfix Bounce Scans Vulnerability
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0468
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0468
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-166
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000717
(UNKNOWN)  CONECTIVA  CLA-2003:717
http://marc.info/?l=bugtraq&m=106001525130257&w=2
(UNKNOWN)  BUGTRAQ  20030804 Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning
http://www.debian.org/security/2003/dsa-363
(VENDOR_ADVISORY)  DEBIAN  DSA-363
http://www.mandriva.com/security/advisories?name=MDKSA-2003:081
(UNKNOWN)  MANDRAKE  MDKSA-2003:081
http://www.novell.com/linux/security/advisories/2003_033_postfix.html
(UNKNOWN)  SUSE  SuSE-SA:2003:033
http://www.redhat.com/support/errata/RHSA-2003-251.html
(UNKNOWN)  REDHAT  RHSA-2003:251
http://www.securityfocus.com/bid/8333
(UNKNOWN)  BID  8333

- 漏洞信息

Postfix多个远程拒绝服务攻击漏洞
中危 设计错误
2003-08-27 00:00:00 2005-10-20 00:00:00
远程  
        
        Postfix是一款邮件服务程序。
        Postfix邮件传输代理当前存在两个漏洞,远程攻击者可以利用这些漏洞对服务程序进行拒绝服务攻击或把Postfix作为DDOS攻击代理。
        第一个漏洞是允许攻击者通过"bounce-scan"方法扫描私有保护的网络,攻击者可以提交如下类型的地址 触发:
         <[server_ip]:service!@local-host-name>
        这个地址会使Postfix连接任意IP地址及任意端口进行SMTP对话,对话失败的信息会反回给远程用户,导致敏感信息泄露。使用这个问题可产生拒绝服务攻击,通过使用多个Postfix主机,不停尝试连接特定主机,可导致主机产生拒绝服务。
        此漏洞的CANID为:CAN-2003-0468
        第二个漏洞存在与地址解析代码中,通过提供畸形邮件地址,可触发此漏洞。攻击者可以朴实服务产生一个产生bounce的队列,根据配置,可以为,或者如果用户名被检查的情况下,可以为。"mail from""Errors-To"地址必须为"<.!>"或"<.!@local-server-name>"。当准备bounce时Postfix解析和重写地址时会锁住服务。
        也可以提供合法的"MAIL FROM"进行SMTP会话,但"RCPT TO"提供类似上面所描述的地址,可导致smtp监听程序停止响应。
        

- 公告与补丁

        厂商补丁:
        Conectiva
        ---------
        Conectiva已经为此发布了一个安全公告(CLA-2003:717)以及相应补丁:
        CLA-2003:717:postfix
        链接:
        http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000717

        补丁下载:
        ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/postfix-1.1.13-1U70_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/postfix-1.1.13-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/7.0/RPMS/postfix-doc-1.1.13-1U70_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/SRPMS/postfix-1.1.13-1U80_1cl.src.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/postfix-1.1.13-1U80_1cl.i386.rpm
        ftp://atualizacoes.conectiva.com.br/8/RPMS/postfix-doc-1.1.13-1U80_1cl.i386.rpm
        Debian
        ------
        
        http://www.debian.org/security/2003/dsa-363

        MandrakeSoft
        ------------
        MandrakeSoft已经为此发布了一个安全公告(MDKSA-2003:081)以及相应补丁:
        MDKSA-2003:081:Updated postfix packages fix remote DoS
        链接:
        http://www.linux-mandrake.com/en/security/2003/2003-081.php

        补丁下载:
        Updated Packages:
        Corporate Server 2.1:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/RPMS/postfix-1.1.13-1.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/corporate/2.1/SRPMS/postfix-1.1.13-1.1mdk.src.rpm
        Corporate Server 2.1/x86_64:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/RPMS/postfix-1.1.13-1.2mdk.x86_64.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/x86_64/corporate/2.1/SRPMS/postfix-1.1.13-1.2mdk.src.rpm
        Mandrake Linux 8.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/postfix-20010228-20.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/SRPMS/postfix-20010228-20.1mdk.src.rpm
        Mandrake Linux 8.2/PPC:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/postfix-20010228-20.1mdk.ppc.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/SRPMS/postfix-20010228-20.1mdk.src.rpm
        Mandrake Linux 9.0:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/RPMS/postfix-1.1.13-1.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/9.0/SRPMS/postfix-1.1.13-1.1mdk.src.rpm
        Multi Network Firewall 8.2:
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/RPMS/postfix-20010228-20.1mdk.i586.rpm
        ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/mnf8.2/SRPMS/postfix-20010228-20.1mdk.src.rpm
        上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
        
        http://www.mandrakesecure.net/en/ftp.php

        RedHat
        ------
        RedHat已经为此发布了一个安全公告(RHSA-2003:251-01)以及相应补丁:
        RHSA-2003:251-01:New postfix packages fix security issues.
        链接:https://www.redhat.com/support/errata/RHSA-2003-251.html
        补丁下载:
        Red Hat Linux 7.3:
        SRPMS:
        ftp://updates.redhat.com/7.3/en/os/SRPMS/postfix-1.1.12-0.7.src.rpm
        i386:
        ftp://updates.redhat.com/7.3/en/os/i386/postfix-1.1.12-0.7.i386.rpm
        Red Hat Linux 8.0:
        SRPMS:
        ftp://updates.redhat.com/8.0/en/os/SRPMS/postfix-1.1.12-0.8.src.rpm
        i386:
        ftp://updates.redhat.com/8.0/en/os/i386/postfix-1.1.12-0.8.i386.rpm
        Red Hat Linux 9:
        SRPMS:
        ftp://updates.redhat.com/9/en/os/SRPMS/postfix-1.1.12-1.src.rpm
        i386:
        ftp://updates.redhat.com/9/en/os/i386/postfix-1.1.12-1.i386.rpm
        Verification:
        MD5 sum Package Name
        - --------------------------------------------------------------------------
        1c17ca698971a1b5904590b97c0cbf8f 7.3/en/os/SRPMS/postfix-1.1.12-0.7.src.rpm
        d862e447c46cc4587dc96d4d44ef1a58 7.3/en/os/i386/postfix-1.1.12-0.7.i386.rpm
        e9e79099eb8e23dc0eff8f26d059cf53 8.0/en/os/SRPMS/postfix-1.1.12-0.8.src.rpm
        48e8299644a815e5dd67e67ef9aff8b5 8.0/en/os/i386/postfix-1.1.12-0.8.i386.rpm
        4c1500d10e8533eda4168a0cd193b561 9/en/os/SRPMS/postfix-1.1.12-1.src.rpm
        b3345751920862dc4ab2e82bcc0c51f9 9/en/os/i386/postfix-1.1.12-1.i386.rpm

- 漏洞信息

6551
Postfix Bounce Scan / Packet Amplification DDoS
Remote / Network Access Input Manipulation, Misconfiguration
Impact Unknown
Exploit Public

- 漏洞描述

Postfix contains a design flaw which may allow an attacker to use the mail server in SMTP 'bounce' scanning or even DDoS attacks. A specially crafted recipient field can cause the mail server to connect and communicate with an arbitrary host/port.

- 时间线

2003-08-03 Unknow
2003-08-03 Unknow

- 解决方案

Upgrade to version 1.1.12 or higher, as it has been reported to fix this vulnerability. It is also possible to correct the flaw by implementing the following workaround: set append_dot_mydomain to "yes" and resolve_dequoted_address to "no".

- 相关参考

- 漏洞作者

- 漏洞信息

Postfix Connection Proxying Vulnerability
Design Error 8361
Yes No
2003-08-04 12:00:00 2009-07-11 10:56:00
Discovery credited to Michal Zalewski.

- 受影响的程序版本

Wietse Venema Postfix 1.1.13
Wietse Venema Postfix 1.1.12
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386
Wietse Venema Postfix 1.1.11
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
Wietse Venema Postfix 1.0.21
+ EnGarde Secure Community 2.0
+ EnGarde Secure Community 1.0.1
+ EnGarde Secure Professional 1.5
+ EnGarde Secure Professional 1.2
+ EnGarde Secure Professional 1.1
Wietse Venema Postfix 20011115
Wietse Venema Postfix 20010228
+ Trustix Secure Linux 1.5
Wietse Venema Postfix 19991231
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
+ Trustix Secure Linux 1.2
Wietse Venema Postfix 19990906
Conectiva Linux 8.0
Conectiva Linux 7.0
Wietse Venema Postfix 2.0
Wietse Venema Postfix 1.1.13
Wietse Venema Postfix 1.1.12
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386

- 不受影响的程序版本

Wietse Venema Postfix 2.0
Wietse Venema Postfix 1.1.13
Wietse Venema Postfix 1.1.12
+ S.u.S.E. Linux 8.1
+ S.u.S.E. Linux 8.0
+ S.u.S.E. Linux 7.3 sparc
+ S.u.S.E. Linux 7.3 ppc
+ S.u.S.E. Linux 7.3 i386
+ S.u.S.E. Linux 7.2 i386

- 漏洞讨论

A vulnerability has been reported in Postfix that can allow for adversary to "bounce-scan" a private network. It has also been reported that this vulnerability can be exploited to use the server as a distributed denial of service tool.

- 漏洞利用

There is no exploit required.

- 解决方案

Conectiva has released advisory CLA-2003:717 with fixes to address this issue. Additional information is available in the referenced advisory. Fixes are linked below.

Debian has issued fixes. See advisory DSA-363-1 listed in the reference section for download locations.

SuSE has released advisory SuSE-SA:2003:033 with fixes to address this issue.

Mandrake has released advisory MDKSA-2003:081 with fixes to address this issue. Additional information is available in the referenced Mandrake Advisory.

Red Hat has released advisory RHSA-2003:251-01. Fix information may be gathered from the referenced advisory.

Guardian Digital has released an advisory (ESA-20030804-019) that provides updates for EnGarde Secure Linux. These updates may be applied automatically with the Guardian Digital WebTool. Please see the attached advisory for instructions on how to apply updates.

Trustix has released an advisory (TSLSA-2003-0029) that addresses this issue. Please see the attached advisory for details on obtaining and applying upgrades.

This issue has been addressed by the vendor in Postfix 1.1.12 and later.


Wietse Venema Postfix 20011115

Wietse Venema Postfix 19991231

Wietse Venema Postfix 19990906

Wietse Venema Postfix 20010228

Wietse Venema Postfix 1.0.21

Wietse Venema Postfix 1.1.11

Wietse Venema Postfix 1.1.12

Conectiva Linux 7.0

Conectiva Linux 8.0

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站