CVE-2003-0743
CVSS7.5
发布时间 :2003-10-20 00:00:00
修订时间 :2016-10-17 22:37:07
NMCS    

[原文]Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 and Exim 4 (exim4) before 4.21 may allow remote attackers to execute arbitrary code via an invalid (1) HELO or (2) EHLO argument with a large number of spaces followed by a NULL character and a newline, which is not properly trimmed before the "(no argument given)" string is appended to the buffer.


[CNNVD]Exim畸形EHLO/HELO命令远程堆破坏漏洞(CNNVD-200310-050)

        
        Exim[1]是一款流行的EMAIL服务器(MTA)。
        Exim没有正确处理畸形EHLO/HELO消息,远程攻击者可以利用这个漏洞对Exim服务器进行基于堆的破坏,可导致拒绝服务攻击。
        问题存在于exim-4.20/src/smtp_in.c中:
         if (*smtp_data == 0) Ustrcpy(smtp_data, "(no argument given)");
        'smtp_data'是指向513字节的'cmd_buffer'堆缓冲区。精心构建HELO或者EHLO命令可以使'*smtp_data'为零及'smtp_data'包含在'cmd_buffer'中最后的2个字节中,因此字符串"o argument given)"后面的NULL会溢出cmd_buffer缓冲区。由于固定字符串覆盖缓冲区并受到一定条件的限制,根据作者报告此漏洞目前看来难于利用。一般攻击者可对服务器进行拒绝服务攻击。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:university_of_cambridge:exim:3.20
cpe:/a:university_of_cambridge:exim:3.18
cpe:/a:university_of_cambridge:exim:3.19
cpe:/a:university_of_cambridge:exim:3.0
cpe:/a:university_of_cambridge:exim:3.16
cpe:/a:university_of_cambridge:exim:3.17
cpe:/a:university_of_cambridge:exim:3.3
cpe:/a:university_of_cambridge:exim:3.21
cpe:/a:university_of_cambridge:exim:4.10
cpe:/a:university_of_cambridge:exim:3.22
cpe:/a:university_of_cambridge:exim:3.14
cpe:/a:university_of_cambridge:exim:3.36
cpe:/a:university_of_cambridge:exim:3.15
cpe:/a:university_of_cambridge:exim:3.30
cpe:/a:university_of_cambridge:exim:3.31
cpe:/a:university_of_cambridge:exim:3.12
cpe:/a:university_of_cambridge:exim:3.34
cpe:/a:university_of_cambridge:exim:3.13
cpe:/a:university_of_cambridge:exim:3.35
cpe:/a:university_of_cambridge:exim:3.3.1
cpe:/a:university_of_cambridge:exim:3.3.2
cpe:/a:university_of_cambridge:exim:3.32
cpe:/a:university_of_cambridge:exim:3.11
cpe:/a:university_of_cambridge:exim:3.33
cpe:/a:university_of_cambridge:exim:4.20

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0743
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-0743
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200310-050
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000735
(UNKNOWN)  CONECTIVA  CLA-2003:735
http://marc.info/?l=bugtraq&m=106252015820395&w=2
(UNKNOWN)  BUGTRAQ  20030901 exim remote heap overflow, probably not exploitable
http://marc.info/?l=vuln-dev&m=106264740820334&w=2
(UNKNOWN)  VULN-DEV  20030903 Re: exim remote heap overflow, probably not exploitable
http://packages.debian.org/changelogs/pool/main/e/exim/exim_3.36-13/changelog
(UNKNOWN)  CONFIRM  http://packages.debian.org/changelogs/pool/main/e/exim/exim_3.36-13/changelog
http://packages.debian.org/changelogs/pool/main/e/exim4/exim4_4.34-10/changelog
(UNKNOWN)  CONFIRM  http://packages.debian.org/changelogs/pool/main/e/exim4/exim4_4.34-10/changelog
http://www.debian.org/security/2003/dsa-376
(VENDOR_ADVISORY)  DEBIAN  DSA-376
http://www.exim.org/pipermail/exim-announce/2003q3/000094.html
(UNKNOWN)  CONFIRM  http://www.exim.org/pipermail/exim-announce/2003q3/000094.html
http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030811/057720.html
(UNKNOWN)  MLIST  [Exim] 20030814 Minor security bug
http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030811/057809.html
(UNKNOWN)  MLIST  [Exim] 20030815 Minor security bug

- 漏洞信息

Exim畸形EHLO/HELO命令远程堆破坏漏洞
高危 边界条件错误
2003-10-20 00:00:00 2005-10-20 00:00:00
远程  
        
        Exim[1]是一款流行的EMAIL服务器(MTA)。
        Exim没有正确处理畸形EHLO/HELO消息,远程攻击者可以利用这个漏洞对Exim服务器进行基于堆的破坏,可导致拒绝服务攻击。
        问题存在于exim-4.20/src/smtp_in.c中:
         if (*smtp_data == 0) Ustrcpy(smtp_data, "(no argument given)");
        'smtp_data'是指向513字节的'cmd_buffer'堆缓冲区。精心构建HELO或者EHLO命令可以使'*smtp_data'为零及'smtp_data'包含在'cmd_buffer'中最后的2个字节中,因此字符串"o argument given)"后面的NULL会溢出cmd_buffer缓冲区。由于固定字符串覆盖缓冲区并受到一定条件的限制,根据作者报告此漏洞目前看来难于利用。一般攻击者可对服务器进行拒绝服务攻击。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        
        http://www.debian.org/security/2003/dsa-376

- 漏洞信息

Exim EHLO/HELO Remote Heap Corruption Vulnerability
Boundary Condition Error 8518
Yes No
2003-09-01 12:00:00 2009-07-11 11:56:00
The discovery of this vulnerability has been credited to Nick Cleaton <nick@cleaton.net>.

- 受影响的程序版本

University of Cambridge Exim 4.20
University of Cambridge Exim 4.10
University of Cambridge Exim 3.36
University of Cambridge Exim 3.35
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0
University of Cambridge Exim 3.34
University of Cambridge Exim 3.33
University of Cambridge Exim 3.32
University of Cambridge Exim 3.31
University of Cambridge Exim 3.30
University of Cambridge Exim 3.22
- RedHat PowerTools 7.1
University of Cambridge Exim 3.21
University of Cambridge Exim 3.20
University of Cambridge Exim 3.19
- RedHat PowerTools 7.0
University of Cambridge Exim 3.18
University of Cambridge Exim 3.17
University of Cambridge Exim 3.16
University of Cambridge Exim 3.15
University of Cambridge Exim 3.14
University of Cambridge Exim 3.13
- RedHat PowerTools 6.2
University of Cambridge Exim 3.12
+ Debian Linux 2.2 sparc
+ Debian Linux 2.2 powerpc
+ Debian Linux 2.2 IA-32
+ Debian Linux 2.2 arm
+ Debian Linux 2.2 alpha
+ Debian Linux 2.2 68k
University of Cambridge Exim 3.11
University of Cambridge Exim 3.3 2
University of Cambridge Exim 3.3 1
University of Cambridge Exim 3.3
University of Cambridge Exim 3.0
University of Cambridge Exim 4.21

- 不受影响的程序版本

University of Cambridge Exim 4.21

- 漏洞讨论

A heap corruption vulnerability has been discovered in Exim. The problem occurs due to insufficient bounds checking when handling user-supplied SMTP EHLO/HELO data. As a result, it may be possible to overrun the bounds of a heap memory buffer. Although it is believed to be unlikely, this could theoretically be exploited to execute arbitrary code with the privileges of Exim. It may also be possible to trigger a denial of service condition.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com &lt;mailto:vuldb@securityfocus.com&gt;.

- 解决方案

This issue has been addressed in the latest version of Exim. Also, patches have been released to address this issue in Exim 3.36 and 4.20. The vendor has reported that these patches will likely work on earlier versions as well, however it has not yet been confirmed. Users are advised to upgrade as soon as possible.

Debian has released an updated advisory (DSA 376-2) that addresses this issue. Previous packages to address this issue that were released by Debian were installed with incorrect permissions on documentation, users who are affected by this issue are advised to upgrade as soon as possible. Please see the referenced advisory for details on applying fixes.

Conectiva has released an advisory (CLA-2003:735) that addresses this issue. Please see the attached advisory for details on obtaining and applying fixes.

Gentoo has released advisory 200309-09 to address this issue. Affected users are advised to take the following action on affected systems:

emerge sync
emerge exim
emerge clean


University of Cambridge Exim 3.0

University of Cambridge Exim 3.11

University of Cambridge Exim 3.12

University of Cambridge Exim 3.13

University of Cambridge Exim 3.14

University of Cambridge Exim 3.15

University of Cambridge Exim 3.16

University of Cambridge Exim 3.17

University of Cambridge Exim 3.18

University of Cambridge Exim 3.19

University of Cambridge Exim 3.20

University of Cambridge Exim 3.21

University of Cambridge Exim 3.22

University of Cambridge Exim 3.3 1

University of Cambridge Exim 3.3

University of Cambridge Exim 3.3 2

University of Cambridge Exim 3.30

University of Cambridge Exim 3.31

University of Cambridge Exim 3.32

University of Cambridge Exim 3.33

University of Cambridge Exim 3.34

University of Cambridge Exim 3.35

University of Cambridge Exim 3.36

University of Cambridge Exim 4.10

University of Cambridge Exim 4.20

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站