https://www.exploit-db.com/exploits/23728
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200403-002

Metamail是MIME实现的多用途邮件系统。Metamail存在缓冲区溢出和格式串处理问题，远程攻击者可以利用这个漏洞可能以metamail进程权限在系统上执行任意指令。当处理”multipart/alternative”媒介类型和包含的”Content-Type”字段中参数名或值包含格式串代码，在SaveSquirrelFile()函数中由于fprintf()不充分处理外部输入，可造成格式串问题，破坏内存信息。第二个格式串问题是当消息在MAIL头中包含非ASCII字符编码数据时，在PrintHeader()函数中的printf()不充分处理外部输入，可造成格式串问题，破坏内存信息。另外处理超长Subject字段和部分消息时缺少充分边界缓冲区检查，可导致缓冲区溢出，精心构建提交数据可能以metamail进程权限在系统上执行任意指令。

source: http://www.securityfocus.com/bid/9692/info

Metamail has been reported prone to multiple vulnerabilities that may provide for arbitrary code execution. Two buffer overflow vulnerabilities have been reported to affect Metamail. Additionally, two format string-handling vulnerabilities have been reported. These issues may also be exploited by a remote attacker to execute arbitrary code. 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/23728-1.splitmail

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/23728-2.tgz

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/23728-3

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/23728-4

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/23728-5

来源:US-CERTVulnerabilityNote:VU#518518
名称:VU#518518
链接:http://www.kb.cert.org/vuls/id/518518
来源:BID
名称:9692
链接:http://www.securityfocus.com/bid/9692
来源:REDHAT
名称:RHSA-2004:073
链接:http://www.redhat.com/support/errata/RHSA-2004-073.html
来源:XF
名称:metamail-printheader-format-string(15259)
链接:http://xforce.iss.net/xforce/xfdb/15259
来源:XF
名称:metamail-contenttype-format-string(15245)
链接:http://xforce.iss.net/xforce/xfdb/15245
来源:DEBIAN
名称:DSA-449
链接:http://www.debian.org/security/2004/dsa-449
来源:SECUNIA
名称:10908
链接:http://secunia.com/advisories/10908
来源:VULNWATCH
名称:20040218metamailformatstringbugsandbufferoverflows
链接:http://archives.neohapsis.com/archives/vulnwatch/2004-q1/0041.html
来源:SLACKWARE
名称:SSA:2004-049
链接:http://www.slackware.com/security/viewer.php?l=slackware-security&y;=2004&m;=slackware-security.404734
来源:MANDRAKE
名称:MDKSA-2004:014
链接:http://www.mandriva.com/security/advisories?name=MDKSA-2004:014
来源:CIAC
名称:O-083
链接:http://www.ciac.org/ciac/bulletins/o-083.shtml
来源:BUGTRAQ
名称:20