Strumpf Noir Society Advisories ! Public release ! <--# -= AVTronics InetServer DoS and BoF Vulnerabilities =- Release date: Wednesday, August 22, 2001 Introduction: AVTronics InetServer is a freeware product suite for MS Windows, bundling such services as SMTP, POP3, Daytime and Telnet in 1 product. InetServer is available from: http://www.avtronics.net Problem(s): As so many products offering this, the optional webmail interface bundled with this product features some flaws which could severly degrade system security. Denial of Service If the port on which the webmail daemon listens receives a buffer of +/- 800 bytes or more the InetServer process will die. This could be (ab)used to execute a Denial of Service attack against the server. WWW-Authentication buffer overflows The second problem enjoys the same basis as the DoS, being the webmail interface, but poses a more severe threat to the system since the contents of the buffer is written straight onto and over eip. Typically, when a user intends to access his/her mailbox through the webmail interface, this is done through a url constructed as such: http://server:port/username Following a basic WWW-Authentication (where the Realm is 'username') the user is then taken into the specified mailbox. The problem lies in the handling of the information provided to the server by the browser during this WWW-Authentication. In certain cases, the username and password combined can compose a buffer to smash eip. For example: username: 140 byte username and password: 140 byte password will overflow the buffer. Eip is overwritten by the last 4 chars of the password buffer. The same goes for other combinations as say for example a 700 byte username and a 20 byte password. Since WWW-Authentication is triggered through any 'username' following the location of the webmail interface, no prior knowledge of existing usernames is necessary to successfully complete this attack. (..) Solution: Vendor has been notified. At the moment we are not aware of any forthcoming fixes. This was tested against InetServer 3.2.1 and 3.1.1 on Win2k. Earlier versions are expected to be vulnerable. yadayadayada Free sk8! (http://www.freesk8.org) SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) compliant, all information is provided on AS IS basis. EOF, but Strumpf Noir Society will return!
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 10:39:05 PDT