安全研究

安全漏洞
Dovecot Tab字符绕过口令检查漏洞

发布日期:2008-03-10
更新日期:2008-03-11

受影响系统:
Dovecot Dovecot < 1.1.rc3
Dovecot Dovecot < 1.0.13
不受影响系统:
Dovecot Dovecot 1.1.rc3
Dovecot Dovecot 1.0.13
描述:
BUGTRAQ  ID: 28181
CVE(CAN) ID: CVE-2008-1218

Dovecot是Linux/UNIX类系统平台上的开源IMAP和POP3服务器。

Dovecot对用户请求数据没有充分的检查过滤,远程攻击者可能利用此漏洞绕过验证获取非授权访问。

Dovecot的内部协议使用TAB字符作为分隔符,但未经转义便发送了口令,因此如果口令中包含有TAB字符的话,就可以添加新的内部字段。如果用户在登录时通过这种方式添加了skip_password_check字段的话,就可以绕过口令检查,获得非授权登录。

<*来源:Timo Sirainen (tss@iki.fi
  
  链接:http://secunia.com/advisories/29295/
        http://dovecot.org/list/dovecot-news/2008-March/000064.html
        http://www.debian.org/security/2008/dsa-1516
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

http://www.milw0rm.com/exploits/5257

建议:
厂商补丁:

Debian
------
Debian已经为此发布了一个安全公告(DSA-1516-1)以及相应补丁:
DSA-1516-1:New dovecot packages fix privilege escalation
链接:http://www.debian.org/security/2008/dsa-1516

补丁下载:
Source archives:

http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch4.dsc
Size/MD5 checksum:     1300 8146ccf246ed64e1ac8c0127489ec798
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15.orig.tar.gz
Size/MD5 checksum:  1463069 26f3d2b075856b1b1d180146363819e6
http://security.debian.org/pool/updates/main/d/dovecot/dovecot_1.0.rc15-2etch4.diff.gz
Size/MD5 checksum:   102991 21959fc45cf0f8932fa9eb890791ff39

alpha architecture (DEC Alpha)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_alpha.deb
Size/MD5 checksum:   583482 a0d18885da096140ceb4110d525569d4
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_alpha.deb
Size/MD5 checksum:  1379844 6103bce830848d3f9bb4347f5c9b94f0
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_alpha.deb
Size/MD5 checksum:   621320 48127903af1fe2130cb84c57e5a607ff

amd64 architecture (AMD x86_64 (AMD64))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_amd64.deb
Size/MD5 checksum:  1222430 1c2e1ffeb6bf745ed88cde01c62d264a
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_amd64.deb
Size/MD5 checksum:   536634 4f64ed0cc16510e9c3d709342b3c57ca
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_amd64.deb
Size/MD5 checksum:   569588 c17bac715f188f55ae20e5a3c95109b1

arm architecture (ARM)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_arm.deb
Size/MD5 checksum:  1123030 47eb9fddcc68c2c213afa10c8e3d8747
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_arm.deb
Size/MD5 checksum:   506134 0f4d939f2cf68f4e5b01140c846e50bc
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_arm.deb
Size/MD5 checksum:   537564 82310ae4e42406429f8ade7cbb81abf0

hppa architecture (HP PA RISC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_hppa.deb
Size/MD5 checksum:  1298818 603d12284115b6349e1d0334263d2af0
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_hppa.deb
Size/MD5 checksum:   562192 413ac964849698428c1b08e9cc9075bc
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_hppa.deb
Size/MD5 checksum:   598934 811c32b5c7e2009e5bf2f0ee0ea26859

i386 architecture (Intel ia32)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_i386.deb
Size/MD5 checksum:  1133484 3bf26ab783ddffed0b3c5ee53225ba20
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_i386.deb
Size/MD5 checksum:   546528 d53c11fd1c39870bd208d684e70e7551
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_i386.deb
Size/MD5 checksum:   514280 e85dcbcdd9b85f6e09cdeb4c82b47916

ia64 architecture (Intel ia64)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_ia64.deb
Size/MD5 checksum:   793878 106fe266dd26373615772b4e3636a914
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_ia64.deb
Size/MD5 checksum:   737582 18b15162711b22a704d0ff1ff26e0261
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_ia64.deb
Size/MD5 checksum:  1701788 7535b0a3407f664efa66bcf86966ff85

mips architecture (MIPS (Big Endian))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_mips.deb
Size/MD5 checksum:   559520 96d7ff1bbd3a38fbdd3bd06b4bc939fb
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_mips.deb
Size/MD5 checksum:   594680 41536feb8048183b78f0d1742278520c
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_mips.deb
Size/MD5 checksum:  1265800 a42823e1253c78709d5d1c18668d9b40

mipsel architecture (MIPS (Little Endian))

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_mipsel.deb
Size/MD5 checksum:  1268408 25c8582fea24e3174283066b7c8b6525
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_mipsel.deb
Size/MD5 checksum:   594912 264c368593a3fe7a9268aadee2ab1292
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_mipsel.deb
Size/MD5 checksum:   558832 d2a20bbfe49d234d0f3c7911c17c9bfb

powerpc architecture (PowerPC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_powerpc.deb
Size/MD5 checksum:   569772 e49cc25c54e4fa88217e0fa555de6039
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_powerpc.deb
Size/MD5 checksum:   536000 92330b2d1fa2ae8bf6c1b8f05cea3d59
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_powerpc.deb
Size/MD5 checksum:  1212096 e2339d417408e14eba21b28684926a5b

s390 architecture (IBM S/390)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_s390.deb
Size/MD5 checksum:   559786 3f7faca1fa56aa29a013068e14e7fada
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_s390.deb
Size/MD5 checksum:  1290186 5b8722445aab8b59ba15beae695e7f77
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_s390.deb
Size/MD5 checksum:   595498 ad3af123ee9c10dece62ff7cf0e84b35

sparc architecture (Sun SPARC/UltraSPARC)

http://security.debian.org/pool/updates/main/d/dovecot/dovecot-imapd_1.0.rc15-2etch4_sparc.deb
Size/MD5 checksum:   533482 576d0f5a1a733dad01c868095488afcf
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-common_1.0.rc15-2etch4_sparc.deb
Size/MD5 checksum:  1108250 1ac8086c83312fec554abd74074cf7b2
http://security.debian.org/pool/updates/main/d/dovecot/dovecot-pop3d_1.0.rc15-2etch4_sparc.deb
Size/MD5 checksum:   501514 27d4aa890df60532d0a33167df7af219

补丁安装方法:

1. 手工安装补丁包:

  首先,使用下面的命令来下载补丁软件:
  # wget url  (url是补丁下载链接地址)

  然后,使用下面的命令来安装补丁:  
  # dpkg -i file.deb (file是相应的补丁名)

2. 使用apt-get自动安装补丁包:

   首先,使用下面的命令更新内部数据库:
   # apt-get update
  
   然后,使用下面的命令安装更新软件包:
   # apt-get upgrade

Dovecot
-------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:

http://www.dovecot.org/list/dovecot-news/2008-March/000065.html

浏览次数:3343
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障
关于我们
公司介绍
公司荣誉
公司新闻
联系我们
公司总部
分支机构
海外机构
快速链接
绿盟云
绿盟威胁情报中心NTI
技术博客