Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Windows Net Apps :: iserve~1.htm

AVTronics InetServer Buffer Overflow



COMMAND

    InetServer

SYSTEMS AFFECTED

    AVTronics InetServer

PROBLEM

    Following  is  based  on   a  Strumpf  Noir  Society   Advisories.
    AVTronics InetServer is a  freeware product suite for  MS Windows,
    bundling such  services as  SMTP, POP3,  Daytime and  Telnet in  1
    product.

    As so many products offering this, the optional webmail  interface
    bundled with this product features some flaws which could  severly
    degrade system security.

    If the port on which the webmail daemon listens receives a  buffer
    of +/- 800 bytes  or more the InetServer  process will die.   This
    could be (ab)used  to execute a  Denial of Service  attack against
    the server.

    The second  problem enjoys  the same  basis as  the DoS, being the
    webmail interface, but  poses a more  severe threat to  the system
    since the  contents of  the buffer  is written  straight onto  and
    over eip.

    Typically, when a user  intends to access his/her  mailbox through
    the webmail interface, this is  done through a url constructed  as
    such:

        http://server:port/username

    Following  a   basic  WWW-Authentication   (where  the   Realm  is
    'username') the  user is  then taken  into the  specified mailbox.
    The problem lies  in the handling  of the information  provided to
    the  server  by  the  browser  during this WWW-Authentication.  In
    certain cases, the  username and password  combined can compose  a
    buffer to smash eip.  For example:

        username: 140 byte username and
        password: 140 byte password

    will overflow the buffer.  Eip is overwritten by the last 4  chars
    of the password buffer.   The same goes for other  combinations as
    say for example a 700 byte username and a 20 byte password.

    Since  WWW-Authentication  is  triggered  through  any  'username'
    following  the  location  of  the  webmail  interface,  no   prior
    knowledge  of  existing  usernames  is  necessary  to successfully
    complete this attack.

SOLUTION

    Vendor has been notified.  At  the moment we are not aware  of any
    forthcoming fixes.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH