logo
DATABASE RESOURCES PRICING ABOUT US

University of Washington IMAP 'tmail'和'dmail'本地缓冲区溢出漏洞

Description

BUGTRAQ ID: 32072 CNCAN ID:CNCAN-2008110404 University of Washington IMAP是一款IMAP协议实现。 University of Washington IMAP包含的'tmail'和'dmail'存在缓冲区溢出,本地攻击者可以利用漏洞以应用程序权限执行任意指令。 'tmail'和'dmail'应用程序在从命令行中处理文件夹扩展参数时缺少正确的边界检查,通过提交超长文件夹名可触发基于栈的缓冲区溢出。tmail可允许以root用户权限执行任意指令。 有问题代码如下: [tmail.c]<pre>char *getusername (char *s,char **t) { char tmp[MAILTMPLEN]; if (*t = strchr (s,'+')) { /* have a mailbox specifier? */ *(*t)++ = '\0'; /* yes, tie off user name */ /* user+ and user+INBOX same as user */ if (!**t || !strcmp ("INBOX",ucase (strcpy (tmp,*t)))) *t = NIL; } return s; /* return user name */ } [dmail.c] int deliver (FILE *f,unsigned long msglen,char *user) { MAILSTREAM *ds = NIL; char *s,*mailbox,tmp[MAILTMPLEN],path[MAILTMPLEN]; STRING st; struct stat sbuf; /* have a mailbox specifier? */ if (mailbox = strchr (user,'+')) { *mailbox++ = '\0'; /* yes, tie off user name */ if (!*mailbox || !strcmp ("INBOX",ucase (strcpy (tmp,mailbox)))) mailbox = NIL; /* user+ and user+INBOX same as user */ } (..)</pre> user+folder命令行参数通过字符指针's'和'user'传递给deliver()和getusername(),文件夹部分重user分离并拷贝到'tmp'缓冲区,由于'tmp'在栈中,超长文件夹名可用于覆盖堆栈数据,导致任意代码执行。 University of Washington imap 2007b University of Washington Alpine 2.00 Panda Programming imap 升级程序: University of Washington Alpine 2.00 University of Washington imap.tar.Z <a href=ftp://ftp.cac.washington.edu/mail/imap.tar.Z target=_blank>ftp://ftp.cac.washington.edu/mail/imap.tar.Z</a> University of Washington imap 2007b University of Washington imap.tar.Z <a href=ftp://ftp.cac.washington.edu/mail/imap.tar.Z target=_blank>ftp://ftp.cac.washington.edu/mail/imap.tar.Z</a>