Unchecked buffer in PC-cillin

From: advisoriesat_private
Date: Tue Dec 10 2002 - 03:04:43 PST

Next message: Rob klein Gunnewiek: "[VulnWatch] proftpd <=1.2.7rc3 DoS"

Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:229-10] Updated wget packages fix directory traversal bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----------------------------------------------------------------------------
-
Texonet Security Advisory 20021210
----------------------------------------------------------------------------
-
Advisory ID    : TEXONET-20021210
Authors        : Joel Soderberg and Christer Oberg (advisoriesat_private)
Issue date     : 12-10-2002
Application    : PC-cillin (OfficeScan Corp. Edition 5.02)
Version(s)     : 2000, 2002 and 2003
Platforms      : Windows 98/ME/2000/XP
Availability   : http://www.texonet.com/advisories/TEXONET-20021210.txt
----------------------------------------------------------------------------
-


Problem:
----------------------------------------------------------------------------
-
PC-cillin has an unchecked buffer in pop3trap.exe


Description:
----------------------------------------------------------------------------
-
PC-cillin comes with a mail scanning feature that scans all incoming mail
for
viruses, this is accomplished by connecting the mail client to a local
service
listening on port 110 (pop3). This service is only listening for connections
from the local machine and acts as a proxy. The program running this service
is pop3trap.exe. Connecting to the local port 110 and sending a lot of
characters will crash the program with a direct hit on the EIP, this makes
it
possible to run malicious code. The code will be run using the privileges of
the user owning the pop3trap.exe process.

Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110

Example 2: http://127.0.0.1:110/[put 1100 a's here]



Workaround:
----------------------------------------------------------------------------
-
Download the appropriate Service Pack from:

http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982


Disclosure Timeline:
----------------------------------------------------------------------------
-
11/14/2002: Vendor notified by e-mail
11/15/2002: Standard support reply received from vendor
11/15/2002: Requested contact information from vendor
11/15/2002: Reply received from vendor with contact recommendations
11/15/2002: Advisory sent in accordance to vendors recommendations
11/21/2002: Vendor has verified the issue and is working on the solution
12/10/2002: Issue released to the public


About Texonet:
----------------------------------------------------------------------------
-
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.


Contacting Texonet:
----------------------------------------------------------------------------
-
E-mail:    advisoriesat_private
Homepage:  http://www.texonet.com/
Phone:     +46-8-55174611

text/plain attachment: TEXONET-20021210.txt

Next message: Rob klein Gunnewiek: "[VulnWatch] proftpd <=1.2.7rc3 DoS"
Previous message: bugzillaat_private: "[Full-Disclosure] [RHSA-2002:229-10] Updated wget packages fix directory traversal bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Dec 10 2002 - 08:43:31 PST