CVE-2004-0105
CVSS7.5
发布时间 :2004-03-03 00:00:00
修订时间 :2016-10-17 22:40:53
NMCP    

[原文]Multiple buffer overflows in Metamail 2.7 and earlier allow remote attackers to execute arbitrary code.


[CNNVD]Metamail多个缓冲区溢出/格式串处理漏洞(CNNVD-200403-035)

        
        Metamail是MIME实现的多用途邮件系统。
        Metamail存在缓冲区溢出和格式串处理问题,远程攻击者可以利用这个漏洞可能以metamail进程权限在系统上执行任意指令。
        当处理"multipart/alternative"媒介类型和包含的"Content-Type"字段中参数名或值包含格式串代码, 在SaveSquirrelFile()函数中由于fprintf()不充分处理外部输入,可造成格式串问题,破坏内存信息。
        第二个格式串问题是当消息在MAIL头中包含非ASCII字符编码数据时,在PrintHeader()
        函数中的printf()不充分处理外部输入,可造成格式串问题,破坏内存信息。
        另外处理超长Subject字段和部分消息时缺少充分边界缓冲区检查,可导致缓冲区溢出,精心构建提交数据可能以metamail进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:metamail_corporation:metamail:2.7
cpe:/o:redhat:enterprise_linux:2.1::advanced_server
cpe:/o:redhat:enterprise_linux:2.1::enterprise_server
cpe:/a:sgi:propack:2.3SGI ProPack 2.3
cpe:/o:redhat:linux_advanced_workstation:2.1::itanium_processor
cpe:/a:sgi:propack:2.4SGI ProPack 2.4
cpe:/o:redhat:enterprise_linux:2.1::workstation

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0105
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0105
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200403-035
(官方数据源) CNNVD

- 其它链接及资源

http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0041.html
(UNKNOWN)  VULNWATCH  20040218 metamail format string bugs and buffer overflows
http://marc.info/?l=bugtraq&m=107713476911429&w=2
(UNKNOWN)  BUGTRAQ  20040218 metamail format string bugs and buffer overflows
http://www.ciac.org/ciac/bulletins/o-083.shtml
(UNKNOWN)  CIAC  O-083
http://www.debian.org/security/2004/dsa-449
(UNKNOWN)  DEBIAN  DSA-449
http://www.kb.cert.org/vuls/id/513062
(UNKNOWN)  CERT-VN  VU#513062
http://www.mandriva.com/security/advisories?name=MDKSA-2004:014
(UNKNOWN)  MANDRAKE  MDKSA-2004:014
http://www.redhat.com/support/errata/RHSA-2004-073.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:073
http://www.securityfocus.com/bid/9692
(UNKNOWN)  BID  9692
http://www.slackware.com/security/viewer.php?l=slackware-security&y=2004&m=slackware-security.404734
(UNKNOWN)  SLACKWARE  SSA:2004-049
http://xforce.iss.net/xforce/xfdb/15247
(UNKNOWN)  XF  metamail-printheader-nonascii-bo(15247)
http://xforce.iss.net/xforce/xfdb/15258
(VENDOR_ADVISORY)  XF  metamail-splitmail-subject-bo(15258)

- 漏洞信息

Metamail多个缓冲区溢出/格式串处理漏洞
高危 未知
2004-03-03 00:00:00 2005-10-20 00:00:00
远程  
        
        Metamail是MIME实现的多用途邮件系统。
        Metamail存在缓冲区溢出和格式串处理问题,远程攻击者可以利用这个漏洞可能以metamail进程权限在系统上执行任意指令。
        当处理"multipart/alternative"媒介类型和包含的"Content-Type"字段中参数名或值包含格式串代码, 在SaveSquirrelFile()函数中由于fprintf()不充分处理外部输入,可造成格式串问题,破坏内存信息。
        第二个格式串问题是当消息在MAIL头中包含非ASCII字符编码数据时,在PrintHeader()
        函数中的printf()不充分处理外部输入,可造成格式串问题,破坏内存信息。
        另外处理超长Subject字段和部分消息时缺少充分边界缓冲区检查,可导致缓冲区溢出,精心构建提交数据可能以metamail进程权限在系统上执行任意指令。
        

- 公告与补丁

        临时解决方法:
        如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
        * Ulf Harnhammar提供如下补丁程序:
        
        http://downloads.securityfocus.com/vulnerabilities/patches/metamail.patch

        厂商补丁:
        Slackware
        ---------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Metamail Metamail 2.7:
        Slackware Upgrade metamail-2.7-i386-2.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-8.1/patches/packages/metamail-2.7-i386-2.tgz
        Slackware 8.1
        Slackware Upgrade metamail-2.7-i386-2.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-9.0/patches/packages/metamail-2.7-i386-2.tgz
        Slackware 9.0
        Slackware Upgrade metamail-2.7-i486-2.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-9.1/patches/packages/metamail-2.7-i486-2.tgz
        Slackware 9.1
        Slackware Upgrade metamail-2.7-i486-2.tgz
        ftp://ftp.slackware.com/pub/slackware/slackware-current/slackware/n/metamail-2.7-i486-2.tgz
        Slackware -current

- 漏洞信息 (F33433)

metaexpl.tgz (PacketStormID:F33433)
2004-05-26 00:00:00
priestmaster  priestmaster.org
exploit,remote,overflow,udp,shellcode
CVE-2004-0104,CVE-2004-0105
[点击下载]

Metamail remote exploit that makes use of a buffer overflow and upon successful exploitation, binds a listening socket to UDP/13330 awaiting shellcode. Affected versions: 2.2 through 2.7.

- 漏洞信息 (F32716)

metamail.advisory-data.tar.gz (PacketStormID:F32716)
2004-02-19 00:00:00
Ulf Harnhammar  
overflow
unix
CVE-2004-0104,CVE-2004-0105
[点击下载]

Patch and test scripts for two format string bugs and two buffer overflows that exist in Metamail versions 2.2 through 2.7.

- 漏洞信息 (F32715)

metamailBUGS.txt (PacketStormID:F32715)
2004-02-19 00:00:00
Ulf Harnhammar  
advisory,overflow,vulnerability
CVE-2004-0104,CVE-2004-0105
[点击下载]

Two format string bugs and two buffer overflows exist in Metamail versions 2.2 through 2.7. Patch and test scripts to test for these vulnerabilities are available here.

metamail format string bugs and buffer overflows


PROGRAM: metamail
VENDOR: Bell Communications Research, Inc. (Bellcore)
DOWNLOAD URLs: ftp://thumper.bellcore.com/pub/nsb/
               http://ftp.funet.fi/pub/unix/mail/metamail/
VULNERABLE VERSIONS: 2.2, 2.4, 2.5, 2.6, 2.7, possibly others
IMMUNE VERSIONS: 2.7 with my patch applied
REFERENCES: CAN-2004-0104 (format string bugs)
            CAN-2004-0105 (buffer overflows)


* DESCRIPTION *


"Metamail is an implementation of MIME, the Multipurpose Internet
Mail Extensions, a proposed standard for multimedia mail on the
Internet. Metamail implements MIME, and also implements extensibility
and configuration via the "mailcap" mechanism described in an
informational RFC that is a companion to the MIME document."

"In general, users will never run metamail directly. Instead,
metamail will be invoked for the user automatically by the user's
mail reading program, whenever a non-text message is to be viewed."

(quoted from the program's documentation)

metamail is one of the packages or ports in SUSE Linux, Debian
GNU/Linux, Slackware Linux, Mandrake Linux, Gentoo Linux, Turbolinux,
PLD Linux, FreeBSD, NetBSD, OpenBSD and old versions of Red Hat
Linux, among others.

There are several newsreaders (tin, slrn, nn), mailreaders (elm)
and antivirus programs (antimime, older versions of AMaViS) that
pass MIME messages from the network directly to metamail.


* SUMMARY *


I have found two format string bugs and two buffer overflows in
metamail.


* TECHNICAL DETAILS *


The first format string bug occurs when a message has a
"multipart/alternative" media type and one of the body parts has a
"Content-Type" header with parameter names or values containing
formatting codes. It occurs because of two bad fprintf() statements
in the function SaveSquirrelFile() - yes, it's really called that -
in metamail.c. The file "testmail1" gives an example of this problem.

The second format string bug occurs when a message has encoded
non-ASCII characters in the mail headers (as described in RFC 2047),
an unknown encoding, and encoded text containing formatting codes. It
is caused by a bad printf() statement in the function PrintHeader()
in metamail.c. An example of this problem can be found in the file
"testmail2".

The first buffer overflow occurs when a message has encoded non-ASCII
characters in the mail headers and the part that names a character
set is overly long. The root of this problem is a bad strcpy()
statement in the function PrintHeader() in metamail.c. An example
of this can be found in the file "testmail3".

The second buffer overflow doesn't occur in the metamail executable,
but in the splitmail executable that's generated when you compile the
metamail package. This overflow occurs when a message has an overly
long Subject header. It is caused by a bad strcpy() statement in
the function ShareThisHeader() in splitmail.c. An example can be
found in the "testmail4.splitmail" file.


* PATCH AND TEST MESSAGES *


I have attached metamail.advisory-data.tar.gz, which contains the
four test messages mentioned above, as well as a patch that corrects
all four issues. The patch is diff'ed against version 2.7.

In case your system administrator doesn't like .tar.gz attachments,
I have also made this file available for downloading at
http://labben.abm.uu.se/~ulha9485/metamail.advisory-data.tar.gz


* TIMELINE *


metamail is unmaintained, so I contacted the vendor-sec list instead.

7 feb: the vendor-sec list (vendor-sec@lst.de) was contacted
9 feb: a coordinated release date was agreed upon
Friday 13 feb (the day of the W2K source leak): CAN references
were posted
18 feb: Slackware released their advisory and updates
18 feb: I release this advisory


* 31337 IRC KIDDIES *


K: "w0w d00d y4 ph0und b0th buphph3r 0v3rphl0wzZz 4nd ph0rm4t
zZztr1ng bugzZz 1n m3t4m41l!!!! buphph3r 0v3rphl0wzZz (th3 0nly
r34l s3cur1ty h0l3) 4r3 d4 k00l3zZzt but ph0rm4t zZztr1ng bugzZz
(th3 0th3r r34l s3cur1ty h0l3) 4r3 r33ly k00l 4zZzw3ll!!!! d0 y4
w4nn4 j01n 0ur h4ck3r gr0up 'h4ck3rzZz phr0m h3ll'??? w3 h4v3 4ll
th3 l4t3zZzt w1nd0wzZz w4r3zZz 4nd w3 h4v3 4 pr3s3nc3 0n 1rc phr0m
6 4m unt1l m1dn1ght c0z 0n3 0ph 0ur m3mb3rzZz' p4r3ntzZz l3t h1m
st4y up l4t3!!!11!1!!!1!!!"

U: "Virgin."


// Ulf Harnhammar
   kses - PHP HTML/XHTML filter (no XSS)
   http://sourceforge.net/projects/kses


    
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站