| CNNVD-ID编号 | CNNVD-200605-385 |
| CVE编号 | CVE-2006-2502 |
| 发布时间 | 2006-05-22 |
| 更新时间 | 2006-05-22 |
| 漏洞类型 | 缓冲区溢出 |
| 漏洞来源 | kcope kingcope@gmx.net |
| 危险等级 | 中危 |
| 威胁类型 | 远程 |
| 厂 商 | cyrus |
Cyrus IMAP Server是一款免费开放源代码Interactive Mail Access Protocol (IMAP)协议实现,可使用在Unix和Linux操作系统下。
Cyrus-imapd的pop3d中存在远程溢出漏洞。如果在imapd.conf中Cyrus-imapd将popsubfolders设置为1的话,则攻击者就可以通过向远程pop3d发送超长的USER命令参数触发栈溢出。
在cyrus-imapd-2.3.2/imap/pop3d.c中,每次向pop3 server提供USER命令时都会调用pop3d_canon_user,ulen=0。在char userbuf[MAX_MAILBOX_NAME+1], *p;
...
if (!ulen) ulen = strlen(user);
...
memcpy(userbuf, user, ulen);
userbuf[ulen] = \'\'\0\'\';
这个例程中没有执行长度检查,如果user大于MAX_MAILBOX_NAME+1的话,memcpy就会溢出userbuf缓冲区。
--- snip ---static int popd_canon_user(sasl_conn_t *conn, void *context,
const char *user, unsigned ulen,
unsigned flags, const char *user_realm,
char *out, unsigned out_max, unsigned *out_ulen)
{
char userbuf[MAX_MAILBOX_NAME+1], *p;
size_t n;
int r;
if (!ulen) ulen = strlen(user);
if (config_getswitch(IMAPOPT_POPSUBFOLDERS)) {
/* make a working copy of the auth[z]id */
memcpy(userbuf, user, ulen);
userbuf[ulen] = \'\'\0\'\';
user = userbuf;
/* See if we\'\'re trying to access a subfolder */
if ((p = strchr(userbuf, \'\'+\'\'))) {
n = config_virtdomains ? strcspn(p, \"@\") : strlen(p);
if (flags & SASL_CU_AUTHZID) {
/* make a copy of the subfolder */
if (popd_subfolder) free(popd_subfolder);
popd_subfolder = xstrndup(p, n);
}
/* strip the subfolder from the auth[z]id */
memmove(p, p+n, strlen(p+n)+1);
ulen -= n;
}
}
r = mysasl_canon_user(conn, context, user, ulen, flags, user_realm,
out, out_max, out_ulen);
if (!r & & popd_subfolder & & flags == SASL_CU_AUTHZID) {
/* If we\'\'re only doing the authzid, put back the subfolder
in case its used in the challenge/response calculation */
n = strlen(popd_subfolder);
if (*out_ulen + n > out_max) {
sasl_seterror(conn, 0, \"buffer overflow while canonicalizing\");
r = SASL_BUFOVER;
}
else {
p = (config_virtdomains & & (p = strchr(out, \'\'@\'\'))) ?
p : out + *out_ulen;
memmove(p+n, p, strlen(p)+1);
memcpy(p, popd_subfolder, n);
*out_ulen += n;
}
}
return r;
}
--- snip ---
目前厂商还没有提供补丁或者升级程序,建议使用此软件的用户随时关注厂商的主页以获取最新版本: http://asg.web.cmu.edu/cyrus/
来源: BID
名称: 18056
来源: VUPEN
名称: ADV-2006-1891
来源: FULLDISC
名称: 20060521 Cyrus IMAPD pop3d remote compromise aka cyrusFUCK3d
链接:http://archives.neohapsis.com/archives/fulldisclosure/2006-05/0527.html
来源: XF
名称: cyrus-imap-pop3d-bo(26578)