CVE-2004-2771
CVSS7.5
发布时间 :2014-12-24 13:59:00
修订时间 :2014-12-29 09:56:57
NMCPS    

[原文]The expand function in fio.c in Heirloom mailx 12.5 and earlier and BSD mailx 8.1.2 and earlier allows remote attackers to execute arbitrary commands via shell metacharacters in an email address.


[CNNVD]Heirloom mailx和BSD mailx 输入验证漏洞(CNNVD-201412-376)

        

Heirloom mailx和BSD mailx都是用于发送和接收邮件的UNIX实用程序,也称邮件用户代理程序。

Heirloom mailx 12.5及之前版本和BSD mailx 8.1.2及之前版本的fio.c文件中的‘expand’函数存在安全漏洞。远程攻击者可借助邮件地址中的shell元字符利用该漏洞执行任意代码。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-20 [输入验证不恰当]

- CPE (受影响的平台与产品)

cpe:/o:redhat:enterprise_linux:7.0
cpe:/o:oracle:linux:6.0
cpe:/o:oracle:linux:7.0
cpe:/a:heirloom:mailx:12.5
cpe:/a:bsd_mailx_project:bsd_mailx:8.1.2
cpe:/o:redhat:enterprise_linux:6.0

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:28456DSA-3105-1 -- heirloom-mailx security update
oval:org.mitre.oval:def:28385RHSA-2014:1999 -- mailx security update (Moderate)
oval:org.mitre.oval:def:28324ELSA-2014-1999 -- mailx security update (moderate)
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-2771
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-201412-376
(官方数据源) CNNVD

- 其它链接及资源

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748
(UNKNOWN)  CONFIRM  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=278748
http://www.debian.org/security/2014/dsa-3105
(UNKNOWN)  DEBIAN  DSA-3105
http://secunia.com/advisories/61693
(UNKNOWN)  SECUNIA  61693
http://secunia.com/advisories/61585
(UNKNOWN)  SECUNIA  61585
http://secunia.com/advisories/60940
(UNKNOWN)  SECUNIA  60940
http://seclists.org/oss-sec/2014/q4/1066
(UNKNOWN)  MLIST  [oss-security] 20141216 mailx issues (CVE-2004-2771, CVE-2014-7844)
http://rhn.redhat.com/errata/RHSA-2014-1999.html
(UNKNOWN)  REDHAT  RHSA-2014:1999
http://linux.oracle.com/errata/ELSA-2014-1999.html
(UNKNOWN)  CONFIRM  http://linux.oracle.com/errata/ELSA-2014-1999.html

- 漏洞信息

Heirloom mailx和BSD mailx 输入验证漏洞
高危 输入验证
2014-12-18 00:00:00 2014-12-31 00:00:00
远程  
        

Heirloom mailx和BSD mailx都是用于发送和接收邮件的UNIX实用程序,也称邮件用户代理程序。

Heirloom mailx 12.5及之前版本和BSD mailx 8.1.2及之前版本的fio.c文件中的‘expand’函数存在安全漏洞。远程攻击者可借助邮件地址中的shell元字符利用该漏洞执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,详情请关注厂商主页:
        http://www.heirloom.co.nz/

- 漏洞信息 (F129596)

Red Hat Security Advisory 2014-1999-01 (PacketStormID:F129596)
2014-12-16 00:00:00
Red Hat  
advisory,arbitrary,shell,local
linux,redhat
CVE-2004-2771,CVE-2014-7844
[点击下载]

Red Hat Security Advisory 2014-1999-01 - The mailx packages contain a mail user agent that is used to manage mail using scripts. A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality. Note: Applications using mailx to send email to addresses obtained from untrusted sources will still remain vulnerable to other attacks if they accept email addresses which start with "-". To counteract this issue, this update also introduces the "--" option, which will treat the remaining command line arguments as email addresses.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Moderate: mailx security update
Advisory ID:       RHSA-2014:1999-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2014-1999.html
Issue date:        2014-12-16
CVE Names:         CVE-2004-2771 CVE-2014-7844 
=====================================================================

1. Summary:

Updated mailx packages that fix two security issues are now available for
Red Hat Enterprise Linux 6 and 7.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - x86_64
Red Hat Enterprise Linux ComputeNode (v. 7) - x86_64
Red Hat Enterprise Linux Desktop (v. 6) - i386, x86_64
Red Hat Enterprise Linux HPC Node (v. 6) - x86_64
Red Hat Enterprise Linux Server (v. 6) - i386, ppc64, s390x, x86_64
Red Hat Enterprise Linux Server (v. 7) - ppc64, s390x, x86_64
Red Hat Enterprise Linux Workstation (v. 6) - i386, x86_64
Red Hat Enterprise Linux Workstation (v. 7) - x86_64

3. Description:

The mailx packages contain a mail user agent that is used to manage mail
using scripts.

A flaw was found in the way mailx handled the parsing of email addresses.
A syntactically valid email address could allow a local attacker to cause
mailx to execute arbitrary shell commands through shell meta-characters and
the direct command execution functionality. (CVE-2004-2771, CVE-2014-7844)

Note: Applications using mailx to send email to addresses obtained from
untrusted sources will still remain vulnerable to other attacks if they
accept email addresses which start with "-" (so that they can be confused
with mailx options). To counteract this issue, this update also introduces
the "--" option, which will treat the remaining command line arguments as
email addresses.

All mailx users are advised to upgrade to these updated packages, which
contain backported patches to correct these issues.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1162783 - CVE-2004-2771 CVE-2014-7844 mailx: command execution flaw

6. Package List:

Red Hat Enterprise Linux Desktop (v. 6):

Source:
mailx-12.4-8.el6_6.src.rpm

i386:
mailx-12.4-8.el6_6.i686.rpm
mailx-debuginfo-12.4-8.el6_6.i686.rpm

x86_64:
mailx-12.4-8.el6_6.x86_64.rpm
mailx-debuginfo-12.4-8.el6_6.x86_64.rpm

Red Hat Enterprise Linux HPC Node (v. 6):

Source:
mailx-12.4-8.el6_6.src.rpm

x86_64:
mailx-12.4-8.el6_6.x86_64.rpm
mailx-debuginfo-12.4-8.el6_6.x86_64.rpm

Red Hat Enterprise Linux Server (v. 6):

Source:
mailx-12.4-8.el6_6.src.rpm

i386:
mailx-12.4-8.el6_6.i686.rpm
mailx-debuginfo-12.4-8.el6_6.i686.rpm

ppc64:
mailx-12.4-8.el6_6.ppc64.rpm
mailx-debuginfo-12.4-8.el6_6.ppc64.rpm

s390x:
mailx-12.4-8.el6_6.s390x.rpm
mailx-debuginfo-12.4-8.el6_6.s390x.rpm

x86_64:
mailx-12.4-8.el6_6.x86_64.rpm
mailx-debuginfo-12.4-8.el6_6.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 6):

Source:
mailx-12.4-8.el6_6.src.rpm

i386:
mailx-12.4-8.el6_6.i686.rpm
mailx-debuginfo-12.4-8.el6_6.i686.rpm

x86_64:
mailx-12.4-8.el6_6.x86_64.rpm
mailx-debuginfo-12.4-8.el6_6.x86_64.rpm

Red Hat Enterprise Linux Client (v. 7):

Source:
mailx-12.5-12.el7_0.src.rpm

x86_64:
mailx-12.5-12.el7_0.x86_64.rpm
mailx-debuginfo-12.5-12.el7_0.x86_64.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
mailx-12.5-12.el7_0.src.rpm

x86_64:
mailx-12.5-12.el7_0.x86_64.rpm
mailx-debuginfo-12.5-12.el7_0.x86_64.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
mailx-12.5-12.el7_0.src.rpm

ppc64:
mailx-12.5-12.el7_0.ppc64.rpm
mailx-debuginfo-12.5-12.el7_0.ppc64.rpm

s390x:
mailx-12.5-12.el7_0.s390x.rpm
mailx-debuginfo-12.5-12.el7_0.s390x.rpm

x86_64:
mailx-12.5-12.el7_0.x86_64.rpm
mailx-debuginfo-12.5-12.el7_0.x86_64.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
mailx-12.5-12.el7_0.src.rpm

x86_64:
mailx-12.5-12.el7_0.x86_64.rpm
mailx-debuginfo-12.5-12.el7_0.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2004-2771
https://access.redhat.com/security/cve/CVE-2014-7844
https://access.redhat.com/security/updates/classification/#moderate

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2014 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFUkJYRXlSAg2UNWIIRAk0bAJoDvlL5ZD0oq+gJIgYsmU9QFvNGIQCgnXUv
DXtMMeMpEPGIAEgO56yd46E=
=ozlS
-----END PGP SIGNATURE-----


--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
    

- 漏洞信息 (F129594)

Debian Security Advisory 3105-1 (PacketStormID:F129594)
2014-12-16 00:00:00
Debian  debian.org
advisory,vulnerability
linux,debian
CVE-2004-2771,CVE-2014-7844
[点击下载]

Debian Linux Security Advisory 3105-1 - Two security vulnerabilities were discovered in Heirloom mailx, an implementation of the "mail" command.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -------------------------------------------------------------------------
Debian Security Advisory DSA-3105-1                   security@debian.org
http://www.debian.org/security/                            Florian Weimer
December 16, 2014                      http://www.debian.org/security/faq
- -------------------------------------------------------------------------

Package        : heirloom-mailx
CVE ID         : CVE-2004-2771 CVE-2014-7844

Two security vulnerabilities were discovered in Heirloom mailx, an
implementation of the "mail" command:

CVE-2004-2771

    mailx interprets interprets shell meta-characters in certain email
    addresses.

CVE-2014-7844

    An unexpected feature of mailx treats syntactically valid email
    addresses as shell commands to execute.

Shell command execution can be re-enabled using the "expandaddr"
option.

Note that this security update does not remove all mailx facilities
for command execution, though.  Scripts which send mail to addresses
obtained from an untrusted source (such as a web form) should use the
"--" separator before the email addresses (which was fixed to work
properly in this update), or they should be changed to invoke
"mail -t" or "sendmail -i -t" instead, passing the recipient addresses
as part of the mail header.

For the stable distribution (wheezy), these problems have been fixed in
version 12.5-2+deb7u1.

We recommend that you upgrade your heirloom-mailx packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJUkHozAAoJEL97/wQC1SS++tsIAIyvLPRuuB864e+9/vBNrn8P
r0MmgGT/8FZgbuiDaqe6PUkv7mR2wPpx3k4kPXq4vcGB00OvCULBabHlc+SqWtZo
535u5V0g4hoAeKUOD9BnMIgGFxoFx/wcmrDZbWxUHgHJSdmxrieix0z/uD5VniGe
jHZUkFAHE86pXzrrVHoYrFzSkU2N5h/ifkZED32dbYCMTTyKuSF97dK8oTyalvo+
/Al27mV6idY6q8rYZZvATm1TVSO8MjjqJmCC3y2EJP8MLTrvEi59iTAFLlHB/3s1
sGq5f+dGPmOsAFGtHZewGA+dpxEL/CqBMwpww1zMBiCoEIp7Vdv4OkZiAi+EfVo=
=qgAH
-----END PGP SIGNATURE-----
    

- 漏洞信息 (F129844)

Mandriva Linux Security Advisory 2015-011 (PacketStormID:F129844)
2015-01-08 00:00:00
Mandriva  mandriva.com
advisory,arbitrary,shell,local
linux,mandriva
CVE-2004-2771,CVE-2014-7844
[点击下载]

Mandriva Linux Security Advisory 2015-011 - A flaw was found in the way mailx handled the parsing of email addresses. A syntactically valid email address could allow a local attacker to cause mailx to execute arbitrary shell commands through shell meta-characters and the direct command execution functionality.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 _______________________________________________________________________

 Mandriva Linux Security Advisory                         MDVSA-2015:011
 http://www.mandriva.com/en/support/security/
 _______________________________________________________________________

 Package : nail
 Date    : January 8, 2015
 Affected: Business Server 1.0
 _______________________________________________________________________

 Problem Description:

 Updated nail package fixes security vulnerabilities:
 
 A flaw was found in the way mailx handled the parsing of email
 addresses. A syntactically valid email address could allow a local
 attacker to cause mailx to execute arbitrary shell commands through
 shell meta-characters and the direct command execution functionality
 (CVE-2004-2771, CVE-2014-7844).
 _______________________________________________________________________

 References:

 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2771
 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-7844
 http://advisories.mageia.org/MGASA-2014-0538.html
 _______________________________________________________________________

 Updated Packages:

 Mandriva Business Server 1/X86_64:
 69a100820f7d4bce057977fa34839a43  mbs1/x86_64/nail-12.4-8.1.mbs1.x86_64.rpm 
 11c14f4f124d62fd79a6e426e53d25eb  mbs1/SRPMS/nail-12.4-8.1.mbs1.src.rpm
 _______________________________________________________________________

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98

 You can view other update advisories for Mandriva Linux at:

  http://www.mandriva.com/en/support/security/advisories/

 If you want to report vulnerabilities, please contact

  security_(at)_mandriva.com
 _______________________________________________________________________

 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
  <security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFUrpm+mqjQ0CJFipgRApa7AKCV0sXd5JOFp4Ln+Vf1yhhuh5EJ6QCeNKsc
oX2K5rRVcC2bRddylGDjDpc=
=kZH6
-----END PGP SIGNATURE-----
    

- 漏洞信息

BSD mailx CVE-2004-2771 Local Arbitrary Command Execution Vulnerability
Unknown 71704
No Yes
2014-12-16 12:00:00 2014-12-17 05:54:00
Seungbeom Kim

- 受影响的程序版本

Debian Linux 6.0 sparc
Debian Linux 6.0 s/390
Debian Linux 6.0 powerpc
Debian Linux 6.0 mips
Debian Linux 6.0 ia-64
Debian Linux 6.0 ia-32
Debian Linux 6.0 arm
Debian Linux 6.0 amd64
CentOS CentOS 6

- 漏洞讨论

BSD mailx is prone to a local arbitrary command-execution vulnerability.

Local attackers can exploit this issue to execute arbitrary commands on the underlying operating system.

- 漏洞利用

Currently, we are not aware of any exploits. If you feel we are in error or if you are aware of any more recent information, please mail us at: vuldb@securityfocus.com.

- 解决方案

Updates are available. Please see the references or vendor advisory for more information.

- 相关参考

     

     

    关于SCAP中文社区

    SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

    版权声明

    CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站