[NT] SLMail Pro Supervisor Report Center Buffer Overflow

• Previous message: SecuriTeam: "[NT] SLWebMail Multiple Buffer Overflow Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: list@securiteam.com
Date: 8 Mar 2004 16:41:13 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

  SLMail Pro Supervisor Report Center Buffer Overflow
------------------------------------------------------------------------

SUMMARY

 <http://www.slmail.com/default.asp> SLMail Pro is a complete e-mail
solution designed for the small to medium enterprise. A default install of
SLMail Pro includes the installation of the Supervisor Report Center; this
has been found vulnerable to a stack based buffer overflow vulnerability.

DETAILS

Vulnerable Systems:
 * SLMail Pro version 2.0.9 and earlier

Immune Systems:
 * SLMail Pro version 2.0.14 or newer

The Supervisor Report Center is a self-contained web server. The image
file for the web server is webcontainer.exe and the server HTTP response
header is returned as "OctoWebSvr/COM". The web server listens on TCP port
801 by default. An attacker can trigger the overflow by making an HTTP
request and providing an overly long HTTP sub-version (HTTP/1.x). This
sub-version is copied to a stack based buffer and is used in the server's
response to the client. On overflow the saved return address stored on the
stack is overwritten allowing the attacker to redirect the process' flow
of execution and gives the ability to run arbitrary code.

Fix Information:
SLMail have made available a patch to resolve this issue:
<http://216.26.170.92/Products/SLMailPro/Utilities.asp>
http://216.26.170.92/Products/SLMailPro/Utilities.asp. Customers are urged
to update as soon as is possible.

ADDITIONAL INFORMATION

The information has been provided by <mailto:david@ngssoftware.com> David
Litchfield.

The original article can be found at:
<http://www.ngssoftware.com/advisories/slmailsrc.txt>
http://www.ngssoftware.com/advisories/slmailsrc.txt

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Previous message: SecuriTeam: "[NT] SLWebMail Multiple Buffer Overflow Vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]