CVE-2004-0104
CVSS7.5
发布时间 :2004-03-03 00:00:00
修订时间 :2016-10-17 22:40:52
NMCOEPS    

[原文]Multiple format string vulnerabilities in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code.


[CNNVD]Metamail多个缓冲区溢出/格式串处理漏洞(CNNVD-200403-002)

        
        Metamail是MIME实现的多用途邮件系统。
        Metamail存在缓冲区溢出和格式串处理问题,远程攻击者可以利用这个漏洞可能以metamail进程权限在系统上执行任意指令。
        当处理"multipart/alternative"媒介类型和包含的"Content-Type"字段中参数名或值包含格式串代码, 在SaveSquirrelFile()函数中由于fprintf()不充分处理外部输入,可造成格式串问题,破坏内存信息。
        第二个格式串问题是当消息在MAIL头中包含非ASCII字符编码数据时,在PrintHeader()
        函数中的printf()不充分处理外部输入,可造成格式串问题,破坏内存信息。
        另外处理超长Subject字段和部分消息时缺少充分边界缓冲区检查,可导致缓冲区溢出,精心构建提交数据可能以metamail进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:metamail_corporation:metamail:2.7
cpe:/o:redhat:enterprise_linux:2.1::advanced_server
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server
cpe:/a:sgi:propack:2.3SGI ProPack 2.3
cpe:/o:redhat:linux_advanced_workstation:2.1::itanium_processor
cpe:/a:sgi:propack:2.4SGI ProPack 2.4
cpe:/o:redhat:enterprise_linux:2.1::workstation

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0104
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0104
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-002
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0041.html
(UNKNOWN)  VULNWATCH  20040218 metamail format string bugs and buffer overflows
http://marc.info/?l=bugtraq&m=107713476911429&w=2
(UNKNOWN)  BUGTRAQ  20040218 metamail format string bugs and buffer overflows
http://www.ciac.org/ciac/bulletins/o-083.shtml
(UNKNOWN)  CIAC  O-083
http://www.debian.org/security/2004/dsa-449
(UNKNOWN)  DEBIAN  DSA-449
http://www.kb.cert.org/vuls/id/518518
(UNKNOWN)  CERT-VN  VU#518518
http://www.mandriva.com/security/advisories?name=MDKSA-2004:014
(UNKNOWN)  MANDRAKE  MDKSA-2004:014
http://www.redhat.com/support/errata/RHSA-2004-073.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:073
http://www.securityfocus.com/bid/9692
(VENDOR_ADVISORY)  BID  9692
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.404734
(UNKNOWN)  SLACKWARE  SSA:2004-049
http://xforce.iss.net/xforce/xfdb/15245
(UNKNOWN)  XF  metamail-contenttype-format-string(15245)
http://xforce.iss.net/xforce/xfdb/15259
(VENDOR_ADVISORY)  XF  metamail-printheader-format-string(15259)

- 漏洞信息

Metamail多个缓冲区溢出/格式串处理漏洞
高危 未知
2004-03-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Metamail是MIME实现的多用途邮件系统。
        Metamail存在缓冲区溢出和格式串处理问题,远程攻击者可以利用这个漏洞可能以metamail进程权限在系统上执行任意指令。
        当处理"multipart/alternative"媒介类型和包含的"Content-Type"字段中参数名或值包含格式串代码, 在SaveSquirrelFile()函数中由于fprintf()不充分处理外部输入,可造成格式串问题,破坏内存信息。
        第二个格式串问题是当消息在MAIL头中包含非ASCII字符编码数据时,在PrintHeader()
        函数中的printf()不充分处理外部输入,可造成格式串问题,破坏内存信息。
        另外处理超长Subject字段和部分消息时缺少充分边界缓冲区检查,可导致缓冲区溢出,精心构建提交数据可能以metamail进程权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Ulf Harnhammar提供如下补丁程序:
        
        http://downloads.securityfocus.com/vulnerabilities/patches/metamail.patch

        厂商补丁:
        Slackware
        ---------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Metamail Metamail 2.7:
        Slackware Upgrade metamail-2.7-i386-2.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/metamail-2.7-i386-2.tgz
        Slackware 8.1
        Slackware Upgrade metamail-2.7-i386-2.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/metamail-2.7-i386-2.tgz
        Slackware 9.0
        Slackware Upgrade metamail-2.7-i486-2.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/metamail-2.7-i486-2.tgz
        Slackware 9.1
        Slackware Upgrade metamail-2.7-i486-2.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/metamail-2.7-i486-2.tgz
        Slackware -current

- 漏洞信息 (23728)

Metamail 2.7 Multiple Buffer Overflow/Format String Handling Vulnerabilities (EDBID:23728)
linux remote
2004-02-18 Verified
0 Ulf Harnhammar
N/A [点击下载]
source: http://www.securityfocus.com/bid/9692/info

Metamail has been reported prone to multiple vulnerabilities that may provide for arbitrary code execution. Two buffer overflow vulnerabilities have been reported to affect Metamail. Additionally, two format string-handling vulnerabilities have been reported. These issues may also be exploited by a remote attacker to execute arbitrary code. 

http://www.exploit-db.com/sploits/23728-1.splitmail

http://www.exploit-db.com/sploits/23728-2.tgz

http://www.exploit-db.com/sploits/23728-3

http://www.exploit-db.com/sploits/23728-4

http://www.exploit-db.com/sploits/23728-5		

- 漏洞信息 (F33433)

metaexpl.tgz (PacketStormID:F33433)
2004-05-26 00:00:00
priestmaster  priestmaster.org
exploit,remote,overflow,udp,shellcode
CVE-2004-0104,CVE-2004-0105
[点击下载]

Metamail remote exploit that makes use of a buffer overflow and upon successful exploitation, binds a listening socket to UDP/13330 awaiting shellcode. Affected versions: 2.2 through 2.7.

- 漏洞信息 (F32716)

metamail.advisory-data.tar.gz (PacketStormID:F32716)
2004-02-19 00:00:00
Ulf Harnhammar  
overflow
unix
CVE-2004-0104,CVE-2004-0105
[点击下载]

Patch and test scripts for two format string bugs and two buffer overflows that exist in Metamail versions 2.2 through 2.7.

- 漏洞信息 (F32715)

metamailBUGS.txt (PacketStormID:F32715)
2004-02-19 00:00:00
Ulf Harnhammar  
advisory,overflow,vulnerability
CVE-2004-0104,CVE-2004-0105
[点击下载]

Two format string bugs and two buffer overflows exist in Metamail versions 2.2 through 2.7. Patch and test scripts to test for these vulnerabilities are available here.

metamail format string bugs and buffer overflows


PROGRAM: metamail
VENDOR: Bell Communications Research, Inc. (Bellcore)
DOWNLOAD URLs: ftp://thumper.bellcore.com/pub/nsb/
               http://ftp.funet.fi/pub/unix/mail/metamail/
VULNERABLE VERSIONS: 2.2, 2.4, 2.5, 2.6, 2.7, possibly others
IMMUNE VERSIONS: 2.7 with my patch applied
REFERENCES: CAN-2004-0104 (format string bugs)
            CAN-2004-0105 (buffer overflows)


* DESCRIPTION *


"Metamail is an implementation of MIME, the Multipurpose Internet
Mail Extensions, a proposed standard for multimedia mail on the
Internet. Metamail implements MIME, and also implements extensibility
and configuration via the "mailcap" mechanism described in an
informational RFC that is a companion to the MIME document."

"In general, users will never run metamail directly. Instead,
metamail will be invoked for the user automatically by the user's
mail reading program, whenever a non-text message is to be viewed."

(quoted from the program's documentation)

metamail is one of the packages or ports in SUSE Linux, Debian
GNU/Linux, Slackware Linux, Mandrake Linux, Gentoo Linux, Turbolinux,
PLD Linux, FreeBSD, NetBSD, OpenBSD and old versions of Red Hat
Linux, among others.

There are several newsreaders (tin, slrn, nn), mailreaders (elm)
and antivirus programs (antimime, older versions of AMaViS) that
pass MIME messages from the network directly to metamail.


* SUMMARY *


I have found two format string bugs and two buffer overflows in
metamail.


* TECHNICAL DETAILS *


The first format string bug occurs when a message has a
"multipart/alternative" media type and one of the body parts has a
"Content-Type" header with parameter names or values containing
formatting codes. It occurs because of two bad fprintf() statements
in the function SaveSquirrelFile() - yes, it's really called that -
in metamail.c. The file "testmail1" gives an example of this problem.

The second format string bug occurs when a message has encoded
non-ASCII characters in the mail headers (as described in RFC 2047),
an unknown encoding, and encoded text containing formatting codes. It
is caused by a bad printf() statement in the function PrintHeader()
in metamail.c. An example of this problem can be found in the file
"testmail2".

The first buffer overflow occurs when a message has encoded non-ASCII
characters in the mail headers and the part that names a character
set is overly long. The root of this problem is a bad strcpy()
statement in the function PrintHeader() in metamail.c. An example
of this can be found in the file "testmail3".

The second buffer overflow doesn't occur in the metamail executable,
but in the splitmail executable that's generated when you compile the
metamail package. This overflow occurs when a message has an overly
long Subject header. It is caused by a bad strcpy() statement in
the function ShareThisHeader() in splitmail.c. An example can be
found in the "testmail4.splitmail" file.


* PATCH AND TEST MESSAGES *


I have attached metamail.advisory-data.tar.gz, which contains the
four test messages mentioned above, as well as a patch that corrects
all four issues. The patch is diff'ed against version 2.7.

In case your system administrator doesn't like .tar.gz attachments,
I have also made this file available for downloading at
http://labben.abm.uu.se/~ulha9485/metamail.advisory-data.tar.gz


* TIMELINE *


metamail is unmaintained, so I contacted the vendor-sec list instead.

7 feb: the vendor-sec list (vendor-sec@lst.de) was contacted
9 feb: a coordinated release date was agreed upon
Friday 13 feb (the day of the W2K source leak): CAN references
were posted
18 feb: Slackware released their advisory and updates
18 feb: I release this advisory


* 31337 IRC KIDDIES *


K: "w0w d00d y4 ph0und b0th buphph3r 0v3rphl0wzZz 4nd ph0rm4t
zZztr1ng bugzZz 1n m3t4m41l!!!! buphph3r 0v3rphl0wzZz (th3 0nly
r34l s3cur1ty h0l3) 4r3 d4 k00l3zZzt but ph0rm4t zZztr1ng bugzZz
(th3 0th3r r34l s3cur1ty h0l3) 4r3 r33ly k00l 4zZzw3ll!!!! d0 y4
w4nn4 j01n 0ur h4ck3r gr0up 'h4ck3rzZz phr0m h3ll'??? w3 h4v3 4ll
th3 l4t3zZzt w1nd0wzZz w4r3zZz 4nd w3 h4v3 4 pr3s3nc3 0n 1rc phr0m
6 4m unt1l m1dn1ght c0z 0n3 0ph 0ur m3mb3rzZz' p4r3ntzZz l3t h1m
st4y up l4t3!!!11!1!!!1!!!"

U: "Virgin."


// Ulf Harnhammar
   kses - PHP HTML/XHTML filter (no XSS)
   http://sourceforge.net/projects/kses


    

- 漏洞信息

3987
Metamail Long Subject Header Message Parsing System Overflow
Remote / Network Access Input Manipulation
Loss of Confidentiality, Loss of Integrity
Exploit Public

- 漏洞描述

The Metamail fails to check buffer overflow in the ShareThisHeader function in the splitmail.c file. With a specially crafted mail message, containing a long Subject header an attacker can cause buffer overflow and execute arbitrary code on system with privileges of the user, once the message is opened, resulting in a loss of confidentiality and/or integrity.

- 时间线

2004-02-18 Unknow
2004-03-06 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Ulf Harnhammar and various vendors has released a patch to address this vulnerability. See references.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Metamail Multiple Buffer Overflow/Format String Handling Vulnerabilities
Unknown 9692
Yes No
2004-02-18 12:00:00 2009-07-12 03:06:00
Discovery of these vulnerabilities has been credited to Ulf Härnhammar.

- 受影响的程序版本

SGI ProPack 2.4
SGI ProPack 2.3
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 2.1
RedHat Advanced Workstation for the Itanium Processor 2.1
Red Hat Enterprise Linux AS 2.1
Metamail Metamail 2.7
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ FreeBSD FreeBSD 2.2.2
+ RedHat Linux 4.2
+ SCO Open UNIX 8.0
+ SCO Unixware 7.1.3
+ SCO Unixware 7.1.2
+ SCO Unixware 7.1.1
+ Slackware Linux 9.1
+ Slackware Linux 9.0
+ Slackware Linux 8.0
+ Slackware Linux -current
Gentoo Linux 1.4

- 漏洞讨论

Metamail has been reported prone to multiple vulnerabilities that may provide for arbitrary code execution. Two buffer overflow vulnerabilities have been reported to affect Metamail. Additionally, two format string-handling vulnerabilities have been reported. These issues may also be exploited by a remote attacker to execute arbitrary code.

- 漏洞利用

The following proof of concept is available:

- 解决方案

SGI has released an advisory 20040203-01-U to address this and other issues in SGI ProPack 2.4 and ProPack 2.3. Please see the referenced advisory for more information. Fixes are available below.

Debian has released an advisory (DSA 449-1) to address these issues. Please see the attached advisory for further details on obtaining and applying fixes.

Red Hat has released a security advisory (RHSA-2004:073-05) and fixes to address this issue in Red Hat enterprise products. Customers who are subscribed to the Red Hat Network may invoke the up2date utility to retrieve relevant fixes. Further details may be found in the referenced advisory.

Slackware have released an advisory (SSA:2004-049-02) and fixes to address thes issues.

Mandrake has released an advisory (MDKSA-2004:014) to address these issues. Please see the attached advisory for further details on obtaining and applying fixes.

Red Hat Fedora Legacy has released advisory FLSA:1305 dealing with this issue for Red Hat Linux 8.0, 7.3 and 7.2. Please see the referenced advisory for more information.

Gentoo Linux has released advisory GLSA 200405-17 dealing with this issue. Please see the referenced advisory for more information. Affected users are urged to run the following commands as superuser:
emerge sync
emerge -pv ">=net-mail/metamail-2.7.45.3"
emerge ">=net-mail/metamail-2.7.45.3"


SGI ProPack 2.3

SGI ProPack 2.4

Metamail Metamail 2.7

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站