[NT] Multiple Vulnerabilities in JanaServer

From: support@securiteam.com
Date: 07/26/02


From: support@securiteam.com
To: list@securiteam.com
Date: Fri, 26 Jul 2002 19:26:19 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Multiple Vulnerabilities in JanaServer
------------------------------------------------------------------------

SUMMARY

 <http://www.janaserver.com/> Janaserver is Internet gateway software for
Windows platform can act as HTTP/FTP/NEWS/SNTP server,
SOCKS4/SOCKS5/HTTP/FTP/TELNET/Real Audio proxy, and E-mail gateway and
port mapper. JanaServer up to 1.46 was freeware, JanaServer 2.0 and above
is shareware it is intensively used in SOHO networks. Under the NT
platform, it runs as a service with system privileges. Multiple security
vulnerabilities have been found in the product allowing attackers a range
of method to compromise the remote host.

DETAILS

Vulnerable systems:
 * JanaServer 2.2.1 and prior
 * JanaServer 1.46 and prior

Vulnerability details:
1. HTTP server buffer overflow
GET / HTTP/[buffer].0

Causes overflow in logging component

2. HTTP proxy buffer overflow
Same overflow in HTTP proxy server running on TCP/3128.

3. Socks5 Username/Password/Hostname signed/unsigned buffer overflow
Username, password or hostname in SOCKS5 request longer than 127
characters cause buffer overflow because of invalid usage of signed
variable.

4. POP3 gateway buffer overflow
Oversized reply of POP3 server
+OK [buffer]

Causes buffer overflow in logging component.

5. SMTP gateway buffer overflow
Same overflow in SMTP server response:
nnn [buffer]

6. FTP server PASV system-wide DoS
On FTP PASV command server allocates TCP port without closing previously
allocated port. In makes it possible to consume all TCP ports available in
system.

7. POP3 username/password brute force
POP3 gateway gives different diagnostics for valid and invalid username
and allows unlimited number of authentication attempts. It makes it easy
to brute force username/password.

8. POP3 array index overrun (JanaServer version 1.46 and prior)
During mailbox commands there is no check message index is valid. For
example
RETR 1000000
or
DELE 1000000

Will cause server to crash. JanaServer 2.2.1 is not vulnerable.

Workarounds:
1. Disable HTTP logging
2. Disable HTTP proxy logging
3. Disable socks proxy
4,5. Edit Texte.dat file, replace all occurrences of "%s" to "%.255s" in
lines numbered from 300 to 455.
6. Disable FTP server
7,8 Disable mail gateway

Vendor and solution:
Vendor was informed on July 18 2002. Vendor claims all bugs are fixed. No
reply from vendor since July 19 2002. There is no information about fixed
version available on product's site.

ADDITIONAL INFORMATION

The information has been provided by <mailto:3APA3A@SECURITY.NNOV.RU>
3APA3A.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [UNIX] Monkey HTTP Daemon Remote Buffer Overflow
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Monkey is a "Web server written in C ... * Monkey HTTPd version 0.6.1 ... A buffer overflow vulnerability exists in Monkey's handling of forms ...
    (Securiteam)
  • CERT Advisory CA-2002-14 Buffer overflow in Macromedia JRun
    ... A remotely exploitable buffer overflow exists in Macromedia's JRun 3.0 ... JRun is an application server that works with most popular web ... As reported in the Next Generation Security Software Advisory ...
    (Cert)
  • [Full-Disclosure] Buffer Overflow in HAHTsite Scenario Server 5.1
    ... Buffer Overflow in HAHTsite Scenario Server 5.1 ... HAHTsite Scenario Server 5.1, ... scalability, high availability, security and extensibility. ...
    (Full-Disclosure)
  • security-basics Digest of: get.123_145
    ... VPN to ASP a security risk? ... Re: Multiple IPSec tunnels? ... Subject: Security NT Server ... VPN to ASP a security risk? ...
    (Security-Basics)
  • Re: << SBS News of the week - Sept 26 >>
    ... > And he points to the info you need to put the file on the server in the ... > at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... An attacker can exploit these flaws in tandem via specially ...
    (microsoft.public.backoffice.smallbiz2000)