[NT] Ipswitch Web Calendaring Buffer Overflow

From: support@securiteam.com
Date: 10/15/01 

From: support@securiteam.com
To: list@securiteam.com
Subject: [NT] Ipswitch Web Calendaring Buffer Overflow
Message-Id: <20011014221857.9F0AD138C1@mail.der-keiler.de>
Date: Mon, 15 Oct 2001 00:18:57 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Ipswitch Web Calendaring Buffer Overflow
------------------------------------------------------------------------

SUMMARY

 <http://www.ipswitch.com/products/IMail_Server/web_calendaring.html>
IMail's Web-based calendar allows users to keep secure personal schedules
accessible through an intuitive Web interface. A security vulnerability in
the product allows attackers to cause the web server to execute arbitrary
code.

DETAILS

Vulnerable systems:
 * Ipswitch Web Calendaring 7.04 and possibly earlier versions

When sending a request to the Web Calendar (port 8484) longer than 97
bytes, an overflow will occur and EIP will be overwritten.

Example:
Sending a request like:
GET /'A' x 96 HTTP/1.0

Generates:
Access violation - code c0000005 (first chance)
eax=07777101 ebx=00c338d8 ecx=016f99ec edx=016f99ec esi=0000007e
edi=00000000 eip=61616161 esp=016f99fc ebp=61616161 61616161 ??
   ???

This leaves us with the possibility to run code as SYSTEM. Note though,
the server does a ToLower() (function that replaces all upper case
characters with their lower case counter parts) on the buffer before the
overflow occurs, thus limiting the number of instructions we can use.

Solution:
Download the new version from:
 <ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe>
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe

ADDITIONAL INFORMATION

The information has been provided by <mailto:andreas@defcom.com> Andreas
Junestam.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages