[NT] Ipswitch IMail LDAP Daemon Remote Buffer Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 02/18/04

  • Next message: SecuriTeam: "[UNIX] YabbSE SQL Injection (post.php)" 
    To: list@securiteam.com
Date: 18 Feb 2004 10:16:20 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Ipswitch IMail LDAP Daemon Remote Buffer Overflow
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.ipswitch.com/products/IMail_Server/index.html> Ipswitch IMail
    server is "a Windows based messaging solution with a customer base of over
    53 million users". Exploitation of a remote buffer overflow within the
    LDAP daemon of Ipswitch IMAIL Server allows attackers to execute arbitrary
    code under administrator privileges.

    DETAILS

    Vulnerable Systems:
     * LDAP daemon (iLDAP.exe ver. 3.9.15.10) shipping with IMail Server
    version 8.03

    Immune Systems:
     * IMail Server version 8.05 Hotfix 2

    LDAP messages are comprised of various tags consisting of an identifier, a
    length and the content. An integer is represented in LDAP by the
    identifier byte 0x02, followed by the length of the integer in bytes. This
    is followed by the actual integer itself. As an example the following tag:
    0x02 0x03 0x0A 0x25 0xBD represents the integer 665,501 (0xA25BD). The
    problem exists due to insufficient bounds checking upon copying of user
    supplied data with large tag lengths to a stack based buffer. The
    following assembly instruction can be abused to overwrite memory addresses
    as offsets from the current frame pointer because the attacker has control
    over ecx and var_4 at the time of exploitation:

    text:00401188 mov byte ptr [ebp+ecx+var_4], dl

    An attacker can utilize this to overwrite the address of the Global
    Exception Handler, which can be found at a static distance from the frame
    pointer. Overwriting this address with that of a memory location
    containing a JMP/CALL ebx instruction (in Windows 2000) or a POP xxx POP
    xxx RET instruction (in Windows XP), allows the attacker to redirect the
    flow of control to his or her own supplied code.

    Analysis:
    Successful exploitation allows unauthenticated remote attackers to execute
    arbitrary code under administrator privileges. Exploitation is possible
    across both Windows 2000 and XP platforms. However, it requires minor
    changes in order to work.

    Workarounds:
    Disable or firewall the LDAP service (TCP port 389) if unneeded.

    Vendor Status:
    "Testing has completed their review of 8.05 Hotfix 2 and we are ready to
    release."

    The fix will be available for download at:
     
    <http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html> http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html
      
    Disclosure Timeline:
    October 31, 2003 Exploit acquired by iDEFENSE
    February 2, 2004 Initial vendor notification
    February 3, 2004 iDEFENSE clients notified
    February 3, 2004 Vendor response received
    February 17, 2004 Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:labs@iDefense.com> iDefense
    Labs.

    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=74&type=vulnerabilities> http://www.idefense.com/application/poi/display?id=74&type=vulnerabilities

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] YabbSE SQL Injection (post.php)"

    Relevant Pages