安全研究

安全漏洞
Pine Message/External-Body Type属性缓冲区溢出漏洞

发布日期:2003-09-10
更新日期:2003-09-18

受影响系统:
University of Washington Pine 4.56
University of Washington Pine 4.53
University of Washington Pine 4.52
University of Washington Pine 4.44
University of Washington Pine 4.30
University of Washington Pine 4.21
University of Washington Pine 4.20
University of Washington Pine 4.10
University of Washington Pine 4.0.4
University of Washington Pine 4.0.2
University of Washington Pine 3.98
University of Washington Pine 4.33
    - Conectiva Linux 7.0
    - Conectiva Linux 6.0
    - Conectiva Linux 5.1
    - Conectiva Linux 5.0
    - FreeBSD 4.4
    - FreeBSD 4.3
    - FreeBSD 4.2
    - RedHat Linux 7.1
    - Slackware Linux 7.1
    - Slackware Linux 7.0
    - SuSE Linux 7.3
    - SuSE Linux 7.2
    - SuSE Linux 7.1
不受影响系统:
University of Washington Pine 4.58
描述:
BUGTRAQ  ID: 8588
CVE(CAN) ID: CVE-2003-0720

Pine是一款开放源代码的EMAIL客户端。

Pine当处理"message/external body type"属性时存在缓冲区溢出问题,远程攻击者可以利用这个漏洞构建恶意邮件,诱使用户访问,以用户进程权限在系统上执行任意指令。

当Pine解析"message/external-body type"属性的name/value对的时候,没有正确检查属性的最长长度,可允许恶意攻击者构建畸形EMAIL来覆盖控制的结构,导致任意指令执行。

问题存在于如下代码中:

headers.h:
#define SIZEOF_20KBUF (20480)

上面声明了20db字符数组:

pine.c:
char tmp_20k_buf[SIZEOF_20KBUF];

tmp_20k_buf[]数组存储在.bss段中,并使用字符指针'd'引用,漏洞出现在mailview.c中的display_parameters()函数中:

d = tmp_20k_buf;
if(parmlist = rfc2231_newparmlist(params)){
    while(rfc2231_list_params(parmlist) && d < tmp_20k_buf + 10000){
        sprintf(d, "%-*s: %s\n", longest, parmlist->attrib,
                parmlist->value ? strsquish(tmp_20k_buf + 11000,
                parmlist->value, 100)
                : "");
        d += strlen(d);
    }

从'd'开始,代码在属性字符串参数的左边填充空格,然后显示属性name/value对,如:

Access-Type: ftp
        URL: ftp://localhost/pub/interesting.ps

如果攻击者构建的EMAIL提供任意属性名超过20db长度,就可以导致缓冲区溢出,精心构建提交数据可能以用户权限在系统上执行任意指令。

<*来源:iDEFENSE Security Advisory (labs@idefense.com
  
  链接:http://www.idefense.com/advisory/09.10.03.txt
        https://www.redhat.com/support/errata/RHSA-2003-273.html
                http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000738
*>

建议:
厂商补丁:

Conectiva
---------
Conectiva已经为此发布了一个安全公告(CLA-2003:738)以及相应补丁:
CLA-2003:738:pine
链接:http://distro.conectiva.com/atualizacoes/?id=a&anuncio=000738

补丁下载:

ftp://atualizacoes.conectiva.com.br/7.0/RPMS/pine-4.50L-1U70_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/7.0/SRPMS/pine-4.50L-1U70_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/8/RPMS/pine-4.50L-1U80_2cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/8/SRPMS/pine-4.50L-1U80_2cl.src.rpm
ftp://atualizacoes.conectiva.com.br/9/RPMS/pine-4.53L-22751U90_1cl.i386.rpm
ftp://atualizacoes.conectiva.com.br/9/SRPMS/pine-4.53L-22751U90_1cl.src.rpm

RedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2003:273-01)以及相应补丁:
RHSA-2003:273-01:Updated pine packages fix vulnerabilities
链接:https://www.redhat.com/support/errata/RHSA-2003-273.html

补丁下载:

Red Hat Linux 7.1:

SRPMS:
ftp://updates.redhat.com/7.1/en/os/SRPMS/pine-4.44-19.71.0.src.rpm

i386:
ftp://updates.redhat.com/7.1/en/os/i386/pine-4.44-19.71.0.i386.rpm

Red Hat Linux 7.2:

SRPMS:
ftp://updates.redhat.com/7.2/en/os/SRPMS/pine-4.44-19.72.0.src.rpm

i386:
ftp://updates.redhat.com/7.2/en/os/i386/pine-4.44-19.72.0.i386.rpm

ia64:
ftp://updates.redhat.com/7.2/en/os/ia64/pine-4.44-19.72.0.ia64.rpm

Red Hat Linux 7.3:

SRPMS:
ftp://updates.redhat.com/7.3/en/os/SRPMS/pine-4.44-19.73.0.src.rpm

i386:
ftp://updates.redhat.com/7.3/en/os/i386/pine-4.44-19.73.0.i386.rpm

Red Hat Linux 8.0:

SRPMS:
ftp://updates.redhat.com/8.0/en/os/SRPMS/pine-4.44-19.80.0.src.rpm

i386:
ftp://updates.redhat.com/8.0/en/os/i386/pine-4.44-19.80.0.i386.rpm

Red Hat Linux 9:

SRPMS:
ftp://updates.redhat.com/9/en/os/SRPMS/pine-4.44-19.90.0.src.rpm

i386:
ftp://updates.redhat.com/9/en/os/i386/pine-4.44-19.90.0.i386.rpm

S.u.S.E.
--------
S.u.S.E.已经为此发布了一个安全公告(SuSE-SA:2003:037)以及相应补丁:
SuSE-SA:2003:037:pine
链接:

补丁下载:

Intel i386 Platform:

    SuSE-8.2:
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/pine-4.53-109.i586.rpm
      c3d94808af56ac9fcc77bec85733bc47
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/i586/pine-4.53-109.i586.patch.rpm
      fff680da5c283d2d50a44419976881a8
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.2/rpm/src/pine-4.53-109.src.rpm
      327935d468b4cd7794dde00168a901c3

    SuSE-8.1:
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/pine-4.44-283.i586.rpm
      63bc3f723537b18a274404c9b30ea784
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/i586/pine-4.44-283.i586.patch.rpm
      1d4711753488a274c8cf168b24c91acf
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.1/rpm/src/pine-4.44-283.src.rpm
      9617c79c854c2b800df476aa515ae351

    SuSE-8.0:
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/pine-4.44-281.i386.rpm
      edea9fbbf85a9f922d2b2aa8bf4a14e8
    patch rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/n1/pine-4.44-281.i386.patch.rpm
      18c95a919fb8767f3cff10218ce6c08c
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/8.0/zq1/pine-4.44-281.src.rpm
      6bf6b39feed23892faceaa78fd13b751

    SuSE-7.3:
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/n1/pine-4.33-280.i386.rpm
      65d24983aa99d276e75ccd557eee557b
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/7.3/zq1/pine-4.33-280.src.rpm
      b0ecee1170d1fdec3b22e98d0941071a

    SuSE-7.2:
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/n1/pine-4.33-279.i386.rpm
      574ae6efcf81a53a26d5d19b763f96ab
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/i386/update/7.2/zq1/pine-4.33-279.src.rpm
      14fbade46db5dbc9c9893cf507d57e4a




    Sparc Platform:

    SuSE-7.3:
    ftp://ftp.suse.com/pub/suse/sparc/update/7.3/n1/pine-4.33-101.sparc.rpm
      4e90502bfc4ca5b49c20f8a10cb9d473
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/sparc/update/7.3/zq1/pine-4.33-101.src.rpm
      c600432ad453999aa329b836490842df




    PPC Power PC Platform:

    SuSE-7.3:
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/n1/pine-4.33-153.ppc.rpm
      0c4323f70d9cc8b95d35f4356351990c
    source rpm(s):
    ftp://ftp.suse.com/pub/suse/ppc/update/7.3/zq1/pine-4.33-153.src.rpm
      6f6987ad3110ff3bf0bd5edb08ee935a

University of Washington
------------------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载使用PINE 4.58版本:

http://www.washington.edu/pine/getpine/

浏览次数:3484
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障