首页 -> 安全研究
安全研究
安全漏洞
Wu-imapd部分Mailbox属性远程缓冲区溢出漏洞
发布日期:2002-05-10
更新日期:2002-05-15
受影响系统:
Washington University wu-imapd 2001.0 a描述:
Washington University wu-imapd 2001.0
Washington University wu-imapd 2000.0 c
Washington University wu-imapd 2000.0 b
Washington University wu-imapd 2000.0 a
Washington University wu-imapd 2000.0
BUGTRAQ ID: 4713
CVE(CAN) ID: CVE-2002-0379
Wu-imapd是一款由Washington University开发的IMAP(Internet Message Access Protocol)服务实现,可使用在Linux和Unix操作系统下。
Wu-imapd在处理部分Mailbox属性请求时存在漏洞,可导致远程攻击者进行缓冲区溢出攻击,以Imapd进程的权限在目标系统上执行任意命令。
攻击者可以构建不正常的获取部分邮箱属性的请求,导致服务程序产生SIG11错误。问题存在于imapd.c中:
imapd.c
-------
int main (int argc,char *argv[])
{
unsigned long i,uid;
long f;
char *s,*t,*u,*v,tmp[MAILTMPLEN];
.
.
.
else if (!strncmp (t,"BODY[",5) && (v = strchr(t+5,']')) &&
!v[1]){
strncpy (tmp,t+5,i = v - (t+5));
.
.
.
else if (!strncmp (t,"BODY.PEEK[",10) &&
(v = strchr (t+10,']')) && !v[1]) {
strncpy (tmp,t+10,i = v - (t+10));
.
.
.
-------
处理A0666 PARTIAL 1 BODY[AAA...1052bytes..AAA] 1 1 请求时会产生缓冲溢出,精心构建字符串数据可导致以imapd进程的权限在目标系统上执行任意命令。
此漏洞只影响支持RFC 1730的imapd,在imapd 2001.313和imap-2001.315.默认不安装对此RFC的支持。
要判断是否imapd存在此漏洞,可运行imap后执行"x capability",信息如下所示:
下面示例表示有漏洞的服务程序(请暂时停止imapd服务):
* PREAUTH .....
x capability
* CAPABILITY IMAP4 IMAP4REV1 ...
x OK CAPABILITY completed
下面示例表示不存在漏洞的服务程序:
* PREAUTH .....
x capability
* CAPABILITY IMAP4REV1 ...
x OK CAPABILITY completed
<*来源:Marcell Fodor (m.fodor@datanet.hu)
链接:http://archives.neohapsis.com/archives/bugtraq/2002-05/0071.html
http://archives.neohapsis.com/archives/bugtraq/2002-05/0093.html
http://www.caldera.com/support/security/advisories/CSSA-2002-021.0.txt
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000487
http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-034.php
https://www.redhat.com/support/errata/RHSA-2002-092.html
*>
建议:
厂商补丁:
Caldera
-------
Caldera已经为此发布了一个安全公告(CSSA-2002-021.0)以及相应补丁:
CSSA-2002-021.0:Linux: imapd buffer overflow when fetching partial mailbox attributes
链接:http://www.caldera.com/support/security/advisories/CSSA-2002-021.0.txt
补丁下载:
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Server/current/RPMS
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1.1/Workstation/current/RPMS
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Server/current/RPMS
ftp://ftp.caldera.com/pub/updates/OpenLinux/3.1/Workstation/current/RPMS
补丁安装:
# rpm -Fvh package_name
Conectiva
---------
Conectiva已经为此发布了一个安全公告(CLA-2002:487)以及相应补丁:
CLA-2002:487:imap
链接:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000487
补丁下载:
ftp://atualizacoes.conectiva.com.br/6.0/SRPMS/imap-2000c-10U60_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-2000c-10U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-devel-2000c-10U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-devel-static-2000c-10U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/6.0/RPMS/imap-doc-2000c-10U60_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/imap-2000c-10U70_3cl.src.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-2000c-10U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-devel-2000c-10U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-devel-static-2000c-10U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/RPMS/imap-doc-2000c-10U70_3cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/imap-2000c-12U8_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/imap-2000c-12U8_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/imap-devel-2000c-12U8_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/imap-devel-static-2000c-12U8_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/imap-doc-2000c-12U8_2cl.i386.rpm
Conectiva Linux version 6.0及以上版本的用户可以使用apt进行RPM包的更新:
- 把以下的文本行加入到/etc/apt/sources.list文件中:
rpm [cncbr] ftp://atualizacoes.conectiva.com.br 6.0/conectiva updates
(如果你不是使用6.0版本,用合适的版本号代替上面的6.0)
- 执行: apt-get update
- 更新以后,再执行: apt-get upgrade
MandrakeSoft
------------
MandrakeSoft已经为此发布了一个安全公告(MDKSA-2002:034)以及相应补丁:
MDKSA-2002:034:imap
链接:http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-034.php
补丁下载:
Updated Packages:
Linux-Mandrake 7.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/RPMS/imap-2000c-4.9mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/RPMS/imap-devel-2000c-4.9mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.1/SRPMS/imap-2000c-4.9mdk.src.rpm
Linux-Mandrake 7.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/imap-2000c-4.8mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/RPMS/imap-devel-2000c-4.8mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/7.2/SRPMS/imap-2000c-4.8mdk.src.rpm
Mandrake Linux 8.0:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/imap-2000c-4.7mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/RPMS/imap-devel-2000c-4.7mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.0/SRPMS/imap-2000c-4.7mdk.src.rpm
Mandrake Linux 8.0/ppc:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/imap-2000c-4.7mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/RPMS/imap-devel-2000c-4.7mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.0/SRPMS/imap-2000c-4.7mdk.src.rpm
Mandrake Linux 8.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/imap-2000c-7.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/RPMS/imap-devel-2000c-7.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.1/SRPMS/imap-2000c-7.1mdk.src.rpm
Mandrake Linux 8.1/ia64:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/imap-2000c-7.1mdk.ia64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/RPMS/imap-devel-2000c-7.1mdk.ia64.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ia64/8.1/SRPMS/imap-2000c-7.1mdk.src.rpm
Mandrake Linux 8.2:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/imap-2001a-5.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/RPMS/imap-devel-2001a-5.1mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/8.2/SRPMS/imap-2001a-5.1mdk.src.rpm
Mandrake Linux 8.2/ppc:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/imap-2001a-5.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/RPMS/imap-devel-2001a-5.1mdk.ppc.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/ppc/8.2/SRPMS/imap-2001a-5.1mdk.src.rpm
Corporate Server 1.0.1:
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/1.0.1/RPMS/imap-2000c-4.9mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/1.0.1/RPMS/imap-devel-2000c-4.9mdk.i586.rpm
ftp://download.sourceforge.net/pub/mirrors/mandrake/updates/1.0.1/SRPMS/imap-2000c-4.9mdk.src.rpm
上述升级软件还可以在下列地址中的任意一个镜像ftp服务器上下载:
http://www.mandrakesecure.net/en/ftp.php
RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2002:092-11)以及相应补丁:
RHSA-2002:092-11:Buffer overflow in UW imap daemon
链接:https://www.redhat.com/support/errata/RHSA-2002-092.html
补丁下载:
Red Hat Linux 6.2:
SRPMS:
ftp://updates.redhat.com/6.2/en/os/SRPMS/imap-2001a-1.62.0.src.rpm
alpha:
ftp://updates.redhat.com/6.2/en/os/alpha/imap-2001a-1.62.0.alpha.rpm
ftp://updates.redhat.com/6.2/en/os/alpha/imap-devel-2001a-1.62.0.alpha.rpm
i386:
ftp://updates.redhat.com/6.2/en/os/i386/imap-2001a-1.62.0.i386.rpm
ftp://updates.redhat.com/6.2/en/os/i386/imap-devel-2001a-1.62.0.i386.rpm
sparc:
ftp://updates.redhat.com/6.2/en/os/sparc/imap-2001a-1.62.0.sparc.rpm
ftp://updates.redhat.com/6.2/en/os/sparc/imap-devel-2001a-1.62.0.sparc.rpm
Red Hat Linux 7.0:
SRPMS:
ftp://updates.redhat.com/7.0/en/os/SRPMS/imap-2001a-1.70.0.src.rpm
alpha:
ftp://updates.redhat.com/7.0/en/os/alpha/imap-2001a-1.70.0.alpha.rpm
ftp://updates.redhat.com/7.0/en/os/alpha/imap-devel-2001a-1.70.0.alpha.rpm
i386:
ftp://updates.redhat.com/7.0/en/os/i386/imap-2001a-1.70.0.i386.rpm
ftp://updates.redhat.com/7.0/en/os/i386/imap-devel-2001a-1.70.0.i386.rpm
Red Hat Linux 7.1:
SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/imap-2001a-1.71.0.src.rpm
alpha:
ftp://updates.redhat.com/7.1/en/os/alpha/imap-2001a-1.71.0.alpha.rpm
ftp://updates.redhat.com/7.1/en/os/alpha/imap-devel-2001a-1.71.0.alpha.rpm
i386:
ftp://updates.redhat.com/7.1/en/os/i386/imap-2001a-1.71.0.i386.rpm
ftp://updates.redhat.com/7.1/en/os/i386/imap-devel-2001a-1.71.0.i386.rpm
ia64:
ftp://updates.redhat.com/7.1/en/os/ia64/imap-2001a-1.71.0.ia64.rpm
ftp://updates.redhat.com/7.1/en/os/ia64/imap-devel-2001a-1.71.0.ia64.rpm
Red Hat Linux 7.2:
SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/imap-2001a-1.72.0.src.rpm
i386:
ftp://updates.redhat.com/7.2/en/os/i386/imap-2001a-1.72.0.i386.rpm
ftp://updates.redhat.com/7.2/en/os/i386/imap-devel-2001a-1.72.0.i386.rpm
ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/imap-2001a-1.72.0.ia64.rpm
ftp://updates.redhat.com/7.2/en/os/ia64/imap-devel-2001a-1.72.0.ia64.rpm
可使用下列命令安装补丁:
rpm -Fvh [文件名]
Washington University
---------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Washington University Patch wuimapd2001.patch
http://downloads.securityfocus.com/vulnerabilities/patches/wuimapd2001.patch
浏览次数:4238
严重程度:0(网友投票)
绿盟科技给您安全的保障