OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail
From: Security Team (securityteamDELPHISPLC.COM)
Date: Thu Jun 08 2000 - 08:20:05 CDT


> ==========================================================================
> ======
> Delphis Consulting Plc
> ==========================================================================
> ======
>
> Security Team Advisories
> [05/06/2000]
>
>
> securityteamdelphisplc.com
> [http://www.delphisplc.com/thinking/whitepapers/]
>
> ==========================================================================
> ======
> Adv : DST2K0011
> Title : DoS & BufferOverrun in CMail v2.4.7 WebMail
> Author : DCIST (securityteamdelphisplc.com)
> O/S : Microsoft Windows NT v4.0 Workstation (SP6)
> Product : CMail v2.4.7
> Date : 05/06/2000
>
> I. Description
>
> II. Solution
>
> III. Disclaimer
>
>
> ==========================================================================
> ======
>
>
> I. Description
> ==========================================================================
> ======
>
> Vendor URL: http://www.computalynx.net/
>
> Delphis Consulting Internet Security Team (DCIST) discovered the following
> vulnerabilities in the CMail Server under Windows NT.
>
> Severity: med
>
> The web interface of CMail which resides by default on port 8002 can be
> used
> to consume 95% of CPU time in two locations. By default the New user
> creation
> option is disabled even though this is the case it is possible to enter
> long
> username of 196k which will cause the CMail process to site at 91 - 95%
> CPU
> time. This is only temporary as the process seems to release the CPU after
> as of yet undefined amount of time.
>
> Severity: high
>
> The web server which drives the web interface of CMail it is possible to
> cause
> a Buffer overrun in NTDLL.DLL overwriting the EIP allowing the execution
> of
> arbitry code. This is done be connecting to port 8002 which the service
> resides
> on by default and sending a large GET string. The string has to be a
> length of
> 428 + EIP (4 bytes) making a total of 432 bytes.
>
> It should be noted that NTDLL is authored by ComputaLynx and not
> Mircosoft.
>
>
> II. Solution
> ==========================================================================
> ======
>
> Vendor Status: Informed
>
> Currently there is no known solution to the problem.
>
> III. Disclaimer
> ==========================================================================
> ======
> THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT
> THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS
> OR
> IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE
> PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
> CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR
> RELIANCE
> PLACED ON, THIS INFORMATION FOR ANY PURPOSE.
> ==========================================================================
> ======