发布日期：2000-08-29
更新日期：2000-08-29

受影响系统：

mail.local + imapd

不受影响系统：

描述：

---

mail.local与imapd对邮件格式的理解不兼容。因此攻击这可能利用这个漏洞来创建一个特殊
邮件，imapd读取这个邮件时会发生错误。
Mail.local是以一个空行后面跟着一个"From "头来分割不同邮件的，而imap则仅仅根据"From"
头来区分邮件，而不检查空行。攻击者可以利用mail.local创建一个它认为合法的邮件，而
imapd在读取这个邮件时，由于对邮件分割的理解不兼容，它会认为存在大量的邮件，导致运行
出错。

<* 来源：3APA3A (3APA3A@SECURITY.NNOV.RU) *>






测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

下面的命令会发送一封2.5M的邮件，imap则会错误地认为用户的邮箱里有70,000封邮件：

# perl -e 'print "1\nFrom user Wed Dec  2 05:53:22 1992\n\n"x70000' |\
mail -s "Oooops I did it again" victim


建议：

---

下面是漏洞发现者提供的一个针对imapd-4.7c的补丁.

*** unix.c.old  Wed Feb 23 03:43:30 2000
--- unix.c      Thu Aug 10 12:58:19 2000
***************
*** 1048,1053 ****
--- 1048,1054 ----
    unsigned long i,j,k,m;
    char c,*s,*t,*u,tmp[MAILTMPLEN],date[30];
    int ti = 0,pseudoseen = NIL,retain = T;
+   int wasempty;
    unsigned long nmsgs = stream->nmsgs;
    unsigned long prevuid = nmsgs ? mail_elt (stream,nmsgs)->private.uid :
0;
    unsigned long recent = stream->recent;
***************
*** 1389,1404 ****
        k = m = 0;              /* no previous line size yet */
                                /* note current position */
        j = LOCAL->filesize + GETPOS (&bs);
        if (i) do {             /* look for next message */
          s = unix_mbxline (stream,&bs,&i);
          if (i) {              /* got new data? */
!           VALID (s,t,ti,zn);  /* yes, parse line */
            if (!ti) {          /* not a header line, add it to message */
              elt->rfc822_size +=
                k = i + (m = (((i < 2) || s[i - 2] != '\r') ? 1 : 0));
                                /* update current position */
              j = LOCAL->filesize + GETPOS (&bs);
            }
          }
        } while (i && !ti);     /* until found a header */
        elt->private.msg.text.text.size = j -
--- 1390,1408 ----
        k = m = 0;              /* no previous line size yet */
                                /* note current position */
        j = LOCAL->filesize + GETPOS (&bs);
+       wasempty = 1;
        if (i) do {             /* look for next message */
          s = unix_mbxline (stream,&bs,&i);
          if (i) {              /* got new data? */
!           if (wasempty) VALID (s,t,ti,zn);    /* yes, parse line */
            if (!ti) {          /* not a header line, add it to message */
              elt->rfc822_size +=
                k = i + (m = (((i < 2) || s[i - 2] != '\r') ? 1 : 0));
                                /* update current position */
              j = LOCAL->filesize + GETPOS (&bs);
            }
+           if ( *s == '\n') wasempty = 1;
+           else wasempty = 0;
          }
        } while (i && !ti);     /* until found a header */
        elt->private.msg.text.text.size = j -





浏览次数：5806
严重程度：0（网友投票）