发布日期：2006-10-17
更新日期：2006-10-19

受影响系统：

HP dtmail 5.1b

描述：

---

BUGTRAQ  ID: 20580

HP DTMail是在桌面上使用的邮件客户端。

DTMail在处理-a选项参数时存在缓冲区溢出漏洞，本地攻击者可以利用此漏洞获得root用户权限。

以下gdb输出显示了这个漏洞：

gdb) r -a -a `perl -e 'print "A" x 9000'`  
Starting program: /cluster/members/member0/tmp/dtmail -a `perl -e
'print "A"x 9000'`  
(no debugging symbols found)...(no debugging symbols found)...  
(no debugging symbols found)...(no debugging symbols found)...  
(no debugging symbols found)...(no debugging symbols found)...  
(no debugging symbols found)...(no debugging symbols found)...  
(no debugging symbols found)...(no debugging symbols found)...  
(no debugging symbols found)...(no debugging symbols found)...  
(no debugging symbols found)...(no debugging symbols found)...  
(no debugging symbols found)...(no debugging symbols found)...  
(no debugging symbols found)...(no debugging symbols found)...  

Program received signal SIGSEGV, Segmentation fault.  
warning: Hit heuristic-fence-post without finding  
warning: enclosing function for address 0x4141414141414140  

<*来源：Adriel T. Desautels
  
  链接：http://www.netragard.com/pdfs/research/HP-TRU64-DTMAIL-20060810.txt
        http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00793091
        http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00793805
*>

建议：

---

厂商补丁：

HP
--
HP已经为此发布了安全公告（HPSBUX02162/HPSBTU02163）以及相应补丁:

HPSBUX02162：SSRT061223 rev.1 - HP-UX Running dtmail, Local Execution of Arbitrary Code
链接：http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00793091

HPSBTU02163：SSRT061223 rev.1 - HP Tru64 UNIX Running dtmail, Local Execution of Arbitrary Code
链接：http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00793805

浏览次数：2865
严重程度：0（网友投票）