University of Washington IMAP...

- AV AC AU C I A
发布: 2025-04-13
修订: 2025-04-13

BUGTRAQ ID: 32072 CNCAN ID:CNCAN-2008110404 University of Washington IMAP是一款IMAP协议实现。 University of Washington IMAP包含的'tmail'和'dmail'存在缓冲区溢出,本地攻击者可以利用漏洞以应用程序权限执行任意指令。 'tmail'和'dmail'应用程序在从命令行中处理文件夹扩展参数时缺少正确的边界检查,通过提交超长文件夹名可触发基于栈的缓冲区溢出。tmail可允许以root用户权限执行任意指令。 有问题代码如下: [tmail.c]<pre>char *getusername (char *s,char **t) { char tmp[MAILTMPLEN]; if (*t = strchr (s,'+')) { /* have a mailbox specifier? */ *(*t)++ = '\0'; /* yes, tie off user name */ /* user+ and user+INBOX same as user */ if (!**t || !strcmp (&quot;INBOX&quot;,ucase (strcpy (tmp,*t)))) *t = NIL; } return s; /* return user name */ } [dmail.c] int deliver (FILE *f,unsigned long msglen,char *user) { MAILSTREAM *ds = NIL; char *s,*mailbox,tmp[MAILTMPLEN],path[MAILTMPLEN]; STRING st; struct stat sbuf; /* have a mailbox specifier? */ if (mailbox = strchr (user,'+')) { *mailbox++ = '\0'; /* yes, tie off user name */ if (!*mailbox || !strcmp (&quot;INBOX&quot;,ucase (strcpy (tmp,mailbox)))) mailbox = NIL; /* user+ and user+INBOX...

0%

漏洞利用/PoC

暂无可用Exp或PoC

受影响的平台与产品

当前有0条受影响产品信息