发布日期：2002-05-21
更新日期：2002-05-27

受影响系统：

YoungZSoft CMailServer 3.30

描述：

---

BUGTRAQ  ID: 4789
CVE(CAN) ID: CVE-2002-0799

CMailServer是一款基于Web的电子邮件系统，可使用在Linux/Unix和Windows等多种操作系统下。

CMailServer对用户提供的输入缺少正确充分的边界缓冲检查，可导致远程攻击者进行缓冲溢出区攻击。

CMailServer在sprintf()函数中在检查通过USER命令提交的那个用户名在mail目录下是否存在相应的目录时缺少正确检查，攻击者提交包含恶意的目录信息会出现缓冲区溢出，精心构建目录数据可导致攻击者以Web进程权限在目标系统中执行任意指令。

<*链接：http://archives.neohapsis.com/archives/bugtraq/2002-05/0191.html
*>

建议：

---

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* <2c79cbe14ac7d0b8472d3f129fa1df55@hushmail.com>提供如下补丁程序：

/*
    cmepatch.c
    May 20, 2002
    
    this is a quick and dirty patch.. it simply adds functionality that
    inserts a NULL as the 200th byte of the passed USER argument prior
    to the affected sprintf().. not even remotely elegant but enough to
    stop you from getting izn0wn3D
    
    I TAKE NO RESPONSIBILITY FOR THE DAMAGE THIS MAY DO
    TO YOUR SYSTEM, EGO, WEEWEE, OR OTHERWISE ;~~~~~<

    2c79cbe14ac7d0b8472d3f129fa1df55@hushmail.com

*/


#include <stdio.h>

        FILE *cmail;

        char p1[] = {0x00,0xd0};
        char p2[] = {0xe9,0x16,0x82,0x04,0x00,0x90,0x90};
        char p3[] = {0x81,0xc4,0x15,0x24,0x00,0x00,0xc6,0x04,0x24,0x00,0x81,0xec,0x15,0x24,0x00,0x00,
             0x8d,0xbc,0x24,0x4d,0x23,0x00,0x00,0xe9,0xd0,0x7d,0xfb,0xff,0x90};

void main(){
    
    printf("CMailServer 3.30 PATCH (May 20, 2002)\n2c79cbe14ac7d0b8472d3f129fa1df55@hushmail.com\n\n");

        cmail = fopen("CMailServer.exe", "rb+");

        if(!cmail){printf("'CMailServer.exe' not found or write protected\n");return;}

        fseek(cmail,0x1e8,0);
        fwrite(&p1,sizeof(p1),1,cmail);
        fseek(cmail,0x159f4,0);
        fwrite(&p2,sizeof(p2),1,cmail);
        fseek(cmail,0x5dc0f,0);
        fwrite(&p3,sizeof(p3),1,cmail);

        fclose(cmail);

    printf("patch successful\n");
}

厂商补丁：

YoungZSoft
----------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://www.youngzsoft.com/tw/cmailserver/

浏览次数：3204
严重程度：0（网友投票）