首页 -> 安全研究
安全研究
安全漏洞
Smail-3多个远程及本地安全漏洞
发布日期:2005-03-28
更新日期:2005-03-28
受影响系统:
Smail Smail-3 3.2.0.120描述:
BUGTRAQ ID: 12899
Smail-3是一款邮件传输代理。
Smail-3中存在一个堆溢出漏洞和一个信号处理漏洞,远程或本地用户都可以利用堆溢出漏洞以root权限执行任意代码,攻击还可能导致拒绝服务;本地用户可以利用信号处理漏洞以root用户权限执行任意代码,但尚未证实。
<*来源:sean (infamous41md@hotpop.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=111186277521713&w=2
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
-------------------------------------------------------------------------------
file: addr.c +218
-------------------------------------------------------------------------------
if (*ap == '@') {
/* matched host!(host!)*@route -- build the !-route */
1] register char *p = xmalloc((size_t) strlen(address));
DEBUG(DBG_ADDR_MID, "found host!(host!)*@route form--ugh!\n");
/* first part already !-route */
2] strncpy(p, address, (size_t) (ap - address)); /* HOLE */
if (mark_end) {
*mark_end++ = '>'; /* widden the original address */
}
3] ap = build_uucp_route(ap, error, 0); /* build !-route */
if (ap == NULL) {
DEBUG1(DBG_ADDR_LO,
"preparse_address(): build_uucp_route() failed: %s: returns:
(null)\n", *error);
return NULL;
}
4] strcat(p, ap); /* concatenate together */
xfree(ap);
DEBUG1(DBG_ADDR_HI, "preparse_address returns: %v\n", p);
*rest = mark_end;
return p; /* transformed */
}
2 信号处理漏洞
-------------------------------------------------------------------------------
file: modes.c
-------------------------------------------------------------------------------
void
input_signals()
{
if (signal(SIGHUP, SIG_IGN) != SIG_IGN) {
if (signal(SIGHUP, sig_unlink) == SIG_ERR) {
write_log(WRITE_LOG_SYS, "input_signals(): signal(SIGHUP) failed: %s.",
strerror(errno)); exitvalue = EX_OSERR;
}
}
if (signal(SIGINT, SIG_IGN) != SIG_IGN) {
if (signal(SIGINT, sig_unlink) == SIG_ERR) {
write_log(WRITE_LOG_SYS, "input_signals(): signal(SIGINT) failed: %s.",
strerror(errno)); exitvalue = EX_OSERR;
}
}
...snip...
static void
sig_unlink(sig) /* HOLE */
int sig;
{
(void) signal(sig, SIG_IGN);
unlink_spool();
write_log(WRITE_LOG_TTY, "interrupt: mail message removed");
exit(EX_OSERR);
}
...snip...
write_log(int who, char *fmt, ...)
int who; /* mask of log files to be written */
char *fmt; /* printf(3) format */
va_dcl /* arguments for printf */
{
va_list ap;
...snip...
if (errfile && ((who & WRITE_LOG_TTY) ||
((who & (WRITE_LOG_MLOG|WRITE_LOG_PANIC)) &&
(error_processing == TERMINAL ||
error_processing == ERROR_DEFAULT) && /* XXX ??? */
fmt[0] != 'X'))) {
VA_START(ap, fmt);
write_log_va(WRITE_LOG_TTY, fmt, ap);
va_end(ap);
}
...snip...
static void
write_log_va(who, fmt, ap)
int who; /* mask of log files to be written */
char *fmt; /* printf(3) format */
va_list ap; /* arguments for vfprintf() */
{
static struct str logstr;
static int initialised = FALSE;
if (!initialised) {
STR_INIT(&logstr);
initialised = TRUE;
} else {
STR_CLEAR(&logstr);
STR_CHECK(&logstr);
}
str_printf_va(&logstr, fmt, ap);
...snip...
#define STR_INIT(sp) \
(((sp)->a = STR_BUMP), \
((sp)->i = 0), \
((sp)->p = xmalloc((sp)->a)))
建议:
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* 以下是堆溢出漏洞的非官方补丁:
--- addr.c 2004-08-27 01:46:17.000000000 -0500
+++ _addr.c 2005-03-25 01:00:44.423372480 -0500
@@ -217,10 +217,12 @@
ap++;
if (*ap == '@') {
/* matched host!(host!)*@route -- build the !-route */
- register char *p = xmalloc((size_t) strlen(address));
+ size_t alen = strlen(address);
+ register char *p = xmalloc((size_t) alen + 1);
DEBUG(DBG_ADDR_MID, "found host!(host!)*@route form--ugh!\n");
/* first part already !-route */
strncpy(p, address, (size_t) (ap - address));
+ p[(ap - address)] = '\0';
if (mark_end) {
*mark_end++ = '>'; /* widden the original address */
}
@@ -231,7 +233,8 @@
*error);
return NULL;
}
- strcat(p, ap); /* concatenate together */
+ strncat(p, ap, alen-strlen(p)); /* concatenate together */
+ p[alen] = '\0'; /* in case in wasn't NULL'd */
xfree(ap);
DEBUG1(DBG_ADDR_HI, "preparse_address returns: %v\n", p);
*rest = mark_end;
厂商补丁:
Smail
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://www.weird.com/~woods/projects/smail.html
浏览次数:2571
严重程度:0(网友投票)
绿盟科技给您安全的保障