OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
advisories_at_texonet.com
Date: Tue Dec 10 2002 - 05:04:43 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ----------------------------------------------------------------------------
    -
    Texonet Security Advisory 20021210
    ----------------------------------------------------------------------------
    -
    Advisory ID : TEXONET-20021210
    Authors : Joel Soderberg and Christer Oberg (advisoriestexonet.com)
    Issue date : 12-10-2002
    Application : PC-cillin (OfficeScan Corp. Edition 5.02)
    Version(s) : 2000, 2002 and 2003
    Platforms : Windows 98/ME/2000/XP
    Availability : http://www.texonet.com/advisories/TEXONET-20021210.txt
    ----------------------------------------------------------------------------
    -

    Problem:
    ----------------------------------------------------------------------------
    -
    PC-cillin has an unchecked buffer in pop3trap.exe

    Description:
    ----------------------------------------------------------------------------
    -
    PC-cillin comes with a mail scanning feature that scans all incoming mail
    for
    viruses, this is accomplished by connecting the mail client to a local
    service
    listening on port 110 (pop3). This service is only listening for connections
    from the local machine and acts as a proxy. The program running this service
    is pop3trap.exe. Connecting to the local port 110 and sending a lot of
    characters will crash the program with a direct hit on the EIP, this makes
    it
    possible to run malicious code. The code will be run using the privileges of
    the user owning the pop3trap.exe process.

    Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110

    Example 2: http://127.0.0.1:110/[put 1100 a's here]

    Workaround:
    ----------------------------------------------------------------------------
    -
    Download the appropriate Service Pack from:

    http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982

    Disclosure Timeline:
    ----------------------------------------------------------------------------
    -
    11/14/2002: Vendor notified by e-mail
    11/15/2002: Standard support reply received from vendor
    11/15/2002: Requested contact information from vendor
    11/15/2002: Reply received from vendor with contact recommendations
    11/15/2002: Advisory sent in accordance to vendors recommendations
    11/21/2002: Vendor has verified the issue and is working on the solution
    12/10/2002: Issue released to the public

    About Texonet:
    ----------------------------------------------------------------------------
    -
    Texonet is a Swedish based security company with a focus on penetration
    testing / security assessments, research and development.

    Contacting Texonet:
    ----------------------------------------------------------------------------
    -
    E-mail: advisoriestexonet.com
    Homepage: http://www.texonet.com/
    Phone: +46-8-55174611