CVE-2005-2931
CVSS7.5
发布时间 :2005-12-06 20:03:00
修订时间 :2011-03-07 21:25:18
NMCOPS    

[原文]Format string vulnerability in the SMTP service in IMail Server 8.20 in Ipswitch Collaboration Suite (ICS) before 2.02 allows remote attackers to execute arbitrary code via format string specifiers to the (1) EXPN, (2) MAIL, (3) MAIL FROM, and (4) RCPT TO commands.


[CNNVD]Ipswitch协作组件SMTP格式串处理漏洞(CNNVD-200512-115)

        Ipswitch协作组件(ICS)是一套易用的工具套件,提供e-mail和实时协作、日程安排和联系列表共享、防垃圾和病毒等功能。
        Ipswitch协作组件(ICS)处理SMTP命令请求时存在漏洞,成功利用这个漏洞可以允许未经认证的远程攻击者执行任意代码。
        由于没有正确地使用ICS的SMTP服务中的格式指示符功能,导致Ipswitch IMail中存在格式串漏洞。攻击者可以向EXPN、MAIL、MAIL FROM、RCPT TO之一的SMTP命令提供特制的字符串来利用这个漏洞。所有这些命令都会由同一个解析用户输入字符串的函数来处理。以下调试会话显示通过特别创建的输入值,可将字符串解释为内存地址,从当前函数返回后会执行该地址。
        [..]
        00A7F370 006020A0
        00A7F374 00A7F634 ASCII 5B,"192.168.242.1] MAIL
         FROM:C:\apps\Ipswitch\Collaboration
         Suite\IMail\spool\T94e8013e00000005"
        00A7F378 00000000
        00A7F37C 00000000
        00A7F380 7C34FC0B RETURN to MSVCR71.7C34FC0B from MSVCR71.write_char
        00A7F384 00602048
        00A7F388 00A7F648 ASCII 20,"FROM:C:\apps\Ipswitch\Collaborat"
        [..]

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:ipswitch:ipswitch_collaboration_suite:2.01Ipswitch Ipswitch Collaboration Suite 2.01
cpe:/a:ipswitch:ipswitch_collaboration_suite:2.0Ipswitch Ipswitch Collaboration Suite 2.0
cpe:/a:ipswitch:imail_server:8.20Ipswitch IMail Server 8.20

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2931
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2931
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-115
(官方数据源) CNNVD

- 其它链接及资源

http://www.ipswitch.com/support/imail/releases/imail_professional/im822.asp
(PATCH)  CONFIRM  http://www.ipswitch.com/support/imail/releases/imail_professional/im822.asp
http://www.idefense.com/application/poi/display?id=346&type=vulnerabilities
(VENDOR_ADVISORY)  IDEFENSE  20051206 Ipswitch Collaboration Suite SMTP Format String Vulnerability
http://www.vupen.com/english/advisories/2005/2782
(UNKNOWN)  VUPEN  ADV-2005-2782
http://www.securityfocus.com/bid/15752
(UNKNOWN)  BID  15752
http://securitytracker.com/id?1015317
(UNKNOWN)  SECTRACK  1015317
http://secunia.com/advisories/17863
(UNKNOWN)  SECUNIA  17863

- 漏洞信息

Ipswitch协作组件SMTP格式串处理漏洞
高危 格式化字符串
2005-12-06 00:00:00 2005-12-07 00:00:00
远程  
        Ipswitch协作组件(ICS)是一套易用的工具套件,提供e-mail和实时协作、日程安排和联系列表共享、防垃圾和病毒等功能。
        Ipswitch协作组件(ICS)处理SMTP命令请求时存在漏洞,成功利用这个漏洞可以允许未经认证的远程攻击者执行任意代码。
        由于没有正确地使用ICS的SMTP服务中的格式指示符功能,导致Ipswitch IMail中存在格式串漏洞。攻击者可以向EXPN、MAIL、MAIL FROM、RCPT TO之一的SMTP命令提供特制的字符串来利用这个漏洞。所有这些命令都会由同一个解析用户输入字符串的函数来处理。以下调试会话显示通过特别创建的输入值,可将字符串解释为内存地址,从当前函数返回后会执行该地址。
        [..]
        00A7F370 006020A0
        00A7F374 00A7F634 ASCII 5B,"192.168.242.1] MAIL
         FROM:C:\apps\Ipswitch\Collaboration
         Suite\IMail\spool\T94e8013e00000005"
        00A7F378 00000000
        00A7F37C 00000000
        00A7F380 7C34FC0B RETURN to MSVCR71.7C34FC0B from MSVCR71.write_char
        00A7F384 00602048
        00A7F388 00A7F648 ASCII 20,"FROM:C:\apps\Ipswitch\Collaborat"
        [..]

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.ipswitch.com/support/ics/updates/ics202.asp
        http://www.ipswitch.com/support/imail/releases/imail_professional/im82

- 漏洞信息 (F42190)

iDEFENSE Security Advisory 2006-12-06.1 (PacketStormID:F42190)
2005-12-09 00:00:00
iDefense Labs,Nico  idefense.com
advisory,remote,arbitrary,code execution
CVE-2005-2931
[点击下载]

iDEFENSE Security Advisory 12.06.05 - Remote exploitation of a format string vulnerability in Ipswitch IMail allows remote attackers to execute arbitrary code. The vulnerability specifically exists due to improper use of functions which allow format specifiers in the SMTP service included with ICS. Remote attackers can supply format string values to certain string functions to cause memory corruption leading to remote code execution. iDEFENSE Labs has confirmed the existence of this vulnerability in Ipswitch Collaboration Suite 8.20.

Ipswitch Collaboration Suite SMTP Format String Vulnerability

iDEFENSE Security Advisory 12.06.05
www.idefense.com/application/poi/display?id=346&type=vulnerabilities
December 6, 2005

I. BACKGROUND

Ipswitch Collaboration Suite provides e-mail and real-time
collaboration, calendar and contact list sharing, and protection from
spam and viruses, all delivered in an easy to use suite.

     http://www.ipswitch.com/products/collaboration/index.asp

II. DESCRIPTION

Remote exploitation of a format string vulnerability in Ipswitch
IMail allows remote attackers to execute arbitrary code.

The vulnerability specifically exists due to improper use of functions
which allow format specifiers in the SMTP service included with ICS.
Remote attackers can supply format string values to certain string
functions to cause memory corruption leading to remote code execution.
The vulnerability may be exploited by supplying specially crafted
strings to any of the following SMTP commands: EXPN, MAIL, MAIL FROM,
RCPT TO. All of the commands are handled by the same function which
parses user-supplied input strings. The following debugger session
shows a backtrace with user-supplied strings as values. With properly
constructed input value, the strings would be interpreted as memory
addresses that would be executed upon returning from the current
function.

[..]
00A7F370   006020A0
00A7F374   00A7F634  ASCII 5B,"192.168.242.1] MAIL
  FROM:C:\apps\Ipswitch\Collaboration
  Suite\IMail\spool\T94e8013e00000005"
00A7F378   00000000
00A7F37C   00000000
00A7F380   7C34FC0B  RETURN to MSVCR71.7C34FC0B from MSVCR71.write_char
00A7F384   00602048
00A7F388   00A7F648  ASCII 20,"FROM:C:\apps\Ipswitch\Collaborat"
[..]

III. ANALYSIS

Successful exploitation of the format string vulnerability allows
unauthenticated remote attackers to execute arbitrary code. Ipswitch
mail services are commonly configured to allow untrusted access. The
use of a firewall or other mitigating strategy is highly recommended
due to the nature of this vulnerability. The IMail SMTP server is
installed by default.

IV. DETECTION

iDEFENSE Labs has confirmed the existence of this vulnerability in
Ipswitch Collaboration Suite 8.20.

V. WORKAROUND

iDEFENSE is currently unaware of any effective workarounds for this
issue. Access to the affected host should be filtered at the network
boundary if global accessibility is not required. Restricting access to
only trusted hosts and networks may reduce the likelihood of
exploitation.

VI. VENDOR RESPONSE

Ipswitch Collaboration Suite 2.02 has been released to address this
issue and is available for download at:

  http://www.ipswitch.com/support/ics/updates/ics202.asp

IMail Server 8.22  has been released to address this issue and is
available for download at:

  
http://www.ipswitch.com/support/imail/releases/imail_professional/im822.asp

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-2931 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/08/2005  Initial vendor notification
09/13/2005  Initial vendor response
10/06/2005  Coordinated public disclosure

IX. CREDIT

iDEFENSE credits Nico with the discovery of this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright     

- 漏洞信息

21498
Ipswitch IMail Server SMTP Multiple Command Format String
Local / Remote, Context Dependent Input Manipulation
Loss of Integrity

- 漏洞描述

- 时间线

2005-12-06 2005-09-08
Unknow Unknow

- 解决方案

Upgrade to Ipswitch Collaboration Suite 2.02, IMail Server 8.22 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Ipswitch Collaboration Suite and IMail Server SMTPD Remote Format String Vulnerability
Input Validation Error 15752
Yes No
2005-12-06 12:00:00 2009-07-12 05:56:00
Nico is credited for the discovery of this issue.

- 受影响的程序版本

Ipswitch Ipswitch Collaboration Suite 2.0 1
Ipswitch Ipswitch Collaboration Suite
Ipswitch IMail 8.20
Ipswitch Ipswitch Collaboration Suite 2.0 2
Ipswitch IMail 8.22

- 不受影响的程序版本

Ipswitch Ipswitch Collaboration Suite 2.0 2
Ipswitch IMail 8.22

- 漏洞讨论

Ipswitch Collaboration Suite and IMail Server are susceptible to a remote format string vulnerability. This issue is due to a failure of the application to properly sanitize user-supplied input prior to including it in a format-specifier argument to a formatted printing function.

This issue allows remote attackers to execute arbitrary machine code in the context of the affected application.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: vuldb@securityfocus.com <mailto:vuldb@securityfocus.com>.

- 解决方案

The vendor has released fixes to address this issue:


Ipswitch Ipswitch Collaboration Suite 2.0 1

Ipswitch IMail 8.20

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站