SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Web Server/CGI)  >   Inetserv Vendors:   A-V Tronics
A-V Tronic's Inetserv Web Mail Server Buffer Overflow Vulnerabilities Let Remote Users Crash the System or Execute Arbitrary Code with System Level Privileges
SecurityTracker Alert ID:  1002254
SecurityTracker URL:  http://securitytracker.com/id/1002254
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 25 2001
Impact:   Denial of service via network, Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  
Version(s): tested against InetServer 3.2.1 and 3.1.1 on Windows 2000; earlier versions may be vulnerable
Description:   Strumpf Noir Society reported two vulnerabilities in A-V Tronic's Inetserv server suite. Remote users can crash the server and can execute arbitrary code on the server.

If a remote user sends a buffer of approximately 800 bytes or more to the web mail server, the Inetserv process will crash.

When a remtoe user access web mail, the server will perform a basic HTTP authentication query (with 'username' as the realm). A remote user can send authentication data to the web server to trigger a buffer overflow and potentially execute arbitrary code on the server with the privileges of the server, which may include system level privileges. For example, the following data will trigger the vulnerability:

username: 140 byte username and
password: 140 byte password

It is reported that the eip is overwritten by the last 4 characters of the password buffer. Other combinations can also be used to trigger the vulnerability.
Impact:   A remote user can cause the Inetserv processes to crash and can cause arbitrary code to be executed with the privileges of the web server, which may be system level privileges on some systems. The Inetserv processes may include SMTP, POP3, DAYTIME, FINGER, WHOIS, and telnet.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.avtronics.net/ (Links to External Site)
Cause:   Boundary error
Underlying OS:   Windows (Me), Windows (NT), Windows (95), Windows (98), Windows (2000)

Message History:   None.

 Source Message Contents
Date:  Wed, 22 Aug 2001 19:05:45 +0200
Subject:  AVTronics InetServer DoS and BoF Vulnerabilities


Strumpf Noir Society Advisories
! Public release !
<--#


-= AVTronics InetServer DoS and BoF Vulnerabilities =-

Release date: Wednesday, August 22, 2001


Introduction:

AVTronics InetServer is a freeware product suite for MS Windows,
bundling such services as SMTP, POP3, Daytime and Telnet in 1 product.

InetServer is available from: http://www.avtronics.net


Problem(s):

As so many products offering this, the optional webmail interface
bundled with this product features some flaws which could severly 
degrade system security.

Denial of Service

If the port on which the webmail daemon listens receives a buffer of
+/- 800 bytes or more the InetServer process will die. This could be 
(ab)used to execute a Denial of Service attack against the server.

WWW-Authentication buffer overflows

The second problem enjoys the same basis as the DoS, being the webmail
interface, but poses a more severe threat to the system since the 
contents of the buffer is written straight onto and over eip. 

Typically, when a user intends to access his/her mailbox through the
webmail interface, this is done through a url constructed as such:

http://server:port/username

Following a basic WWW-Authentication (where the Realm is 'username')
the user is then taken into the specified mailbox. The problem lies
in the handling of the information provided to the server by the 
browser during this WWW-Authentication. In certain cases, the username 
and password combined can compose a buffer to smash eip. 

For example:

username: 140 byte username and 
password: 140 byte password

will overflow the buffer. Eip is overwritten by the last 4 chars of the
password buffer. The same goes for other combinations as say for example
a 700 byte username and a 20 byte password.

Since WWW-Authentication is triggered through any 'username' following
the location of the webmail interface, no prior knowledge of existing
usernames is necessary to successfully complete this attack.


(..)


Solution:

Vendor has been notified. At the moment we are not aware of any 
forthcoming fixes.

This was tested against InetServer 3.2.1 and 3.1.1 on Win2k. Earlier
versions are expected to be vulnerable.


yadayadayada

Free sk8! (http://www.freesk8.org)

SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html) 
compliant, all information is provided on AS IS basis.

EOF, but Strumpf Noir Society will return!


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC