NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Bugtraq> 2000-09

Subject: [NEWS] XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER)
From: Aviram Jenik (aviramBEYONDSECURITY.COM)
Date: Wed Sep 06 2000 - 16:11:21 CDT

Next message: Aaron Bentley: "Re: Intacct.com: Multiple bugs at financial services company"
Previous message: Arne Vidstrom: "Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com

XMail vulnerable to a remotely exploitable buffer overflow (APOP, USER)
----------------------------------------------------------------------------

----
SUMMARY
 <http://www.maticad.it/davide/xmail.asp> XMail is an Internet and
Intranet mail server featuring an SMTP server, POP3 server, finger server,
multiple domains, and more. XMail's parsing function does not perform
proper bound checking when parsing the APOP and USER commands, and this
allows a remote attacker to execute arbitrary code by issuing a long APOP
or USER commands.
DETAILS
Vulnerable systems:
XMail version prior to 0.59
Immune systems:
XMail version 0.59
By issuing standard POP3 commands to the XMail POP3 server it is possible
to cause it to overflow an internal buffer, thus causing it to execute
arbitrary code.
For example, after you connect to an XMail POP server, sending any of the
commands:
USER [a buffer of over 256 characters]
APOP [a buffer of over 256 characters] [a buffer of over 256 characters]
will crash the server. If the buffer is properly crafted, arbitrary code
can be executed.
Patch:
A patched version can be downloaded from:
http://www.maticad.it/davide/xmail.asp
ADDITIONAL INFORMATION
The security hole was discovered by Beyond Security's SecuriTeam
(expertsecuriteam.com).
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
====================
--
Aviram Jenik
Beyond Security Ltd.
http://www.BeyondSecurity.com
http://www.SecuriTeam.com

Next message: Aaron Bentley: "Re: Intacct.com: Multiple bugs at financial services company"
Previous message: Arne Vidstrom: "Announcing WinZapper - erase individual event records in the security log of Windows NT 4.0 / 2000"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]