10011.txt

来自「This is the snapshot of Snot Latest Rule」· 文本 代码 · 共 73 行

Rule:

--
Sid:
10011

--
Summary:
This event is generated when an attempt is made to exploit a buffer overflow associated with the several commands of an IMAP service. This event is concerned with data supplied as a parameter to the "append" command.

--
Impact:
A successful attack may cause a denial of service or a buffer overflow and the subsequent execution of arbitrary code on a vulnerable server.

--
Detailed Information:
A vulnerability exists in the way that the Novell NetMail IMAP service handles several commands. An excessively long command argument can trigger a denial of service or a buffer overflow and the subsequent execution of arbitrary code on a vulnerable server.

Novell NetMail is an email server which includes an IMAP component. IMAP messages are formatted as follows:

<RequestTag> <Command> [para1 ... paraN]\r\n

As an authenticated user, the server can accept several commands. One of these commands is the APPEND command, used to store emails into remote mailboxes. The command syntax for APPEND is:

<RequestTag> APPEND <mailbox name> [<flags>] [<date/time>] <message>\r\n

Note the <message> is passed in command continuation format, where the size is declared and then the data passed: {message size} <message>

There is a vulnerability in the Novell NetMail product when processing the date/time field in APPEND messages. The application uses a call to sscanf, using the following format string:

"%d %s %d %d %d %d %d"

and passing a 18 byte buffer to store the name of the month (second field of format string). In Novell's Netmail, no validation is performed upon that month string, allowing an overly long string to overwrite the 18-byte buffer. This will allow critical values on the stack to be overwritten, including the SEH, which is 0x438 bytes from the start of the buffer. 

This event is generated when excess data is detected in an IMAP command. Some IMAP implementations exhibit programming errors that can lead to a buffer overflow condition when excess data is supplied to a static buffer.

Note the user must be authenticated in order to execute this attack.

--
Affected Systems:
Novell NetMail 3.52D and prior

--
Attack Scenarios:
An attacker can supplied an overly long command, causing denial of service or a buffer overflow.

--
Ease of Attack:
Simple.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Upgrade to the latest non-affected version of the software.

--
Contributors:
Sourcefire Vulnerability Research Team
Matthew Olney <matthew.olney@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--