NetWin CWMail.exe Buffer Overflow

From: NGSSoftware Insight Security Research (nisrat_private)
Date: Wed Feb 13 2002 - 05:14:02 PST

Next message: Dave Ahmad: "Exim 3.34 and lower (fwd)"

Previous message: Valentijn Sessink: "Outlook will see non-existing attachments"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

NGSSoftware Insight Security Research Advisory

Name:    NetWin CWMail.exe Buffer Overflow
Systems Affected:  IIS4 & IIS5
Severity:  High
Vendor URL:   http://www.netwinsite.com
Author:   Mark Litchfield (markat_private)
Date:   13th February 2002
Advisory number: #NISR12022002


Description
***********
CWMail is a fully featured Corporate Web Mail System for institutions or
ISP's using the web as their primary means of access to email.  CWMail is
available for a wide variety of platforms and allows all email processing to
be handled via a client web browser rather than from an email client
package.

Details
*******
CWMail.exe is the main executable that provides the program's functionality
on the Windows platforms.  This would typically be located in either the
'cgi-bin' or 'scripts' directory of an IIS server.  After a successful
logon, by selecting the forward (mail) option, and filling the parameter
'item=' with a large string of characters, an access violation occurs,
overwriting the saved return address and allowing the remote execution of
arbitrary code.

Fix Information
***************
NGSSoftware alerted NetWin to these problems on the 10th of February; NetWin
responded extremely quickly with a patch. This patch has been available from
the 12th of February, and can be downloaded from
http://netwinsite.com/dmailweb/download2.htm

We would like to point out that the fix turnaround time of 36 hours is the
fastest that the members of the NISR team have encountered; we would
like to commend NetWin for the speed of their response and
their commitment to the security of their customers.

A check for these issues has been added to Typhon II, of which more
information is available from the NGSSoftware website,
http://www.ngssoftware.com.

Further Information
*******************

For further information about the scope and effects of buffer overflows,
please see

http://www.ngssoftware.com/papers/ntbufferoverflow.html
http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf
http://www.ngssoftware.com/papers/unicodebo.pdf

Next message: Dave Ahmad: "Exim 3.34 and lower (fwd)"
Previous message: Valentijn Sessink: "Outlook will see non-existing attachments"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Feb 13 2002 - 12:14:22 PST