AVTronics InetServer DoS and BoF Vulnerabilities

From: SNS Research (vuln-devat_private)
Date: Wed Aug 22 2001 - 10:05:45 PDT

Next message: Darren Moffat: "Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files"

Previous message: Christian Julien: "bugtraq id 3133"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Strumpf Noir Society Advisories
! Public release !
<--#


-= AVTronics InetServer DoS and BoF Vulnerabilities =-

Release date: Wednesday, August 22, 2001


Introduction:

AVTronics InetServer is a freeware product suite for MS Windows,
bundling such services as SMTP, POP3, Daytime and Telnet in 1 product.

InetServer is available from: http://www.avtronics.net


Problem(s):

As so many products offering this, the optional webmail interface
bundled with this product features some flaws which could severly 
degrade system security.

Denial of Service

If the port on which the webmail daemon listens receives a buffer of
+/- 800 bytes or more the InetServer process will die. This could be 
(ab)used to execute a Denial of Service attack against the server.

WWW-Authentication buffer overflows

The second problem enjoys the same basis as the DoS, being the webmail
interface, but poses a more severe threat to the system since the 
contents of the buffer is written straight onto and over eip. 

Typically, when a user intends to access his/her mailbox through the
webmail interface, this is done through a url constructed as such:

http://server:port/username

Following a basic WWW-Authentication (where the Realm is 'username')
the user is then taken into the specified mailbox. The problem lies
in the handling of the information provided to the server by the 
browser during this WWW-Authentication. In certain cases, the username 
and password combined can compose a buffer to smash eip. 

For example:

username: 140 byte username and 
password: 140 byte password

will overflow the buffer. Eip is overwritten by the last 4 chars of the
password buffer. The same goes for other combinations as say for example
a 700 byte username and a 20 byte password.

Since WWW-Authentication is triggered through any 'username' following
the location of the webmail interface, no prior knowledge of existing
usernames is necessary to successfully complete this attack.


(..)


Solution:

Vendor has been notified. At the moment we are not aware of any 
forthcoming fixes.

This was tested against InetServer 3.2.1 and 3.1.1 on Win2k. Earlier
versions are expected to be vulnerable.


yadayadayada

Free sk8! (http://www.freesk8.org)

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!

Next message: Darren Moffat: "Re: Adobe Acrobat creates world writable ~/AdobeFnt.lst files"
Previous message: Christian Julien: "bugtraq id 3133"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 10:39:05 PDT