OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: SNS Research (vuln-devgreyhack.com)
Date: Wed Aug 22 2001 - 12:05:45 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Strumpf Noir Society Advisories
    ! Public release !
    <--#

    -= AVTronics InetServer DoS and BoF Vulnerabilities =-

    Release date: Wednesday, August 22, 2001

    Introduction:

    AVTronics InetServer is a freeware product suite for MS Windows,
    bundling such services as SMTP, POP3, Daytime and Telnet in 1 product.

    InetServer is available from: http://www.avtronics.net

    Problem(s):

    As so many products offering this, the optional webmail interface
    bundled with this product features some flaws which could severly
    degrade system security.

    Denial of Service

    If the port on which the webmail daemon listens receives a buffer of
    +/- 800 bytes or more the InetServer process will die. This could be
    (ab)used to execute a Denial of Service attack against the server.

    WWW-Authentication buffer overflows

    The second problem enjoys the same basis as the DoS, being the webmail
    interface, but poses a more severe threat to the system since the
    contents of the buffer is written straight onto and over eip.

    Typically, when a user intends to access his/her mailbox through the
    webmail interface, this is done through a url constructed as such:

    http://server:port/username

    Following a basic WWW-Authentication (where the Realm is 'username')
    the user is then taken into the specified mailbox. The problem lies
    in the handling of the information provided to the server by the
    browser during this WWW-Authentication. In certain cases, the username
    and password combined can compose a buffer to smash eip.

    For example:

    username: 140 byte username and
    password: 140 byte password

    will overflow the buffer. Eip is overwritten by the last 4 chars of the
    password buffer. The same goes for other combinations as say for example
    a 700 byte username and a 20 byte password.

    Since WWW-Authentication is triggered through any 'username' following
    the location of the webmail interface, no prior knowledge of existing
    usernames is necessary to successfully complete this attack.

    (..)

    Solution:

    Vendor has been notified. At the moment we are not aware of any
    forthcoming fixes.

    This was tested against InetServer 3.2.1 and 3.1.1 on Win2k. Earlier
    versions are expected to be vulnerable.

    yadayadayada

    Free sk8! (http://www.freesk8.org)

    SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
    compliant, all information is provided on AS IS basis.

    EOF, but Strumpf Noir Society will return!