[NT] Multiple Vulnerabilities in JanaServer

From: support@securiteam.com
Date: 07/26/02


From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 26 Jul 2002 19:26:19 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities in JanaServer
------------------------------------------------------------------------

SUMMARY

 <http://www.janaserver.com/> Janaserver is Internet gateway software for
Windows platform can act as HTTP/FTP/NEWS/SNTP server,
SOCKS4/SOCKS5/HTTP/FTP/TELNET/Real Audio proxy, and E-mail gateway and
port mapper. JanaServer up to 1.46 was freeware, JanaServer 2.0 and above
is shareware it is intensively used in SOHO networks. Under the NT
platform, it runs as a service with system privileges. Multiple security
vulnerabilities have been found in the product allowing attackers a range
of method to compromise the remote host.

DETAILS

Vulnerable systems:
 * JanaServer 2.2.1 and prior
 * JanaServer 1.46 and prior

Vulnerability details:
1. HTTP server buffer overflow
GET / HTTP/[buffer].0

Causes overflow in logging component

2. HTTP proxy buffer overflow
Same overflow in HTTP proxy server running on TCP/3128.

3. Socks5 Username/Password/Hostname signed/unsigned buffer overflow
Username, password or hostname in SOCKS5 request longer than 127
characters cause buffer overflow because of invalid usage of signed
variable.

4. POP3 gateway buffer overflow
Oversized reply of POP3 server
+OK [buffer]

Causes buffer overflow in logging component.

5. SMTP gateway buffer overflow
Same overflow in SMTP server response:
nnn [buffer]

6. FTP server PASV system-wide DoS
On FTP PASV command server allocates TCP port without closing previously
allocated port. In makes it possible to consume all TCP ports available in
system.

7. POP3 username/password brute force
POP3 gateway gives different diagnostics for valid and invalid username
and allows unlimited number of authentication attempts. It makes it easy
to brute force username/password.

8. POP3 array index overrun (JanaServer version 1.46 and prior)
During mailbox commands there is no check message index is valid. For
example
RETR 1000000
or
DELE 1000000

Will cause server to crash. JanaServer 2.2.1 is not vulnerable.

Workarounds:
1. Disable HTTP logging
2. Disable HTTP proxy logging
3. Disable socks proxy
4,5. Edit Texte.dat file, replace all occurrences of "%s" to "%.255s" in
lines numbered from 300 to 455.
6. Disable FTP server
7,8 Disable mail gateway

Vendor and solution:
Vendor was informed on July 18 2002. Vendor claims all bugs are fixed. No
reply from vendor since July 19 2002. There is no information about fixed
version available on product's site.

ADDITIONAL INFORMATION

The information has been provided by <mailto:3APA3A@SECURITY.NNOV.RU>
3APA3A.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.