Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Calendar)  >   IMail Server Vendors:   Ipswitch
Ipswitch's IMail Server's Web Calendaring Function Has Buffer Overflow That Lets Remote Users Execute Arbitrary Code with System Level Privileges
SecurityTracker Alert ID:  1002540
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 12 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): IMail Server 7.04 Web Calendaring Function; possibly earlier versions
Description:   Defcom Labs warned of a buffer overflow vulnerability in Ipswitch's IMail Server's Web Calendaring function. A remote user can execute arbitrary code with System level privileges.

A remote user can send a request to the Web Calendar function that is longer than 97 bytes to trigger a buffer overflow, overwrite the EIP, and execute arbitrary code. The code will run with System level privileges

An HTTP request such as the following will cause a buffer overflow with EIP rewritten to 61616161:

GET /'A' x 96 HTTP/1.0

It is reported that the server performs a 'ToLower' on the buffer before the overflow occurs, so the number of instructions that can be supplied is limited.

Impact:   A remote user can execute arbitrary code on the server with System level privileges.
Solution:   A new version is reportedly available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.

 Source Message Contents

Subject:  def-2001-29

                  Defcom Labs Advisory def-2001-29

         Ipswitch Web Calendaring 7.04 Buffer Overflow

Author: Andreas Junestam <>
Release Date: 2001-10-12
------------------------=[Brief Description]=-------------------------
When sending a request to the Web Calender (port 8484) longer than 97
bytes, a overflow will occur and EIP will be overwritten. 

------------------------=[Affected Systems]=--------------------------
- Ipswitch Web Calendaring 7.04 and possibly earlier versions

----------------------=[Detailed Description]=------------------------
Sending a request like:
GET /'A' x 96 HTTP/1.0

Access violation - code c0000005 (first chance)
eax=07777101 ebx=00c338d8 ecx=016f99ec edx=016f99ec esi=0000007e
edi=00000000 eip=61616161 esp=016f99fc ebp=61616161
61616161 ??               ???

This leaves us with the possibility to run code as SYSTEM. Mind though,
the server does a ToLower on the buffer BEFORE the overflow occours,
limiting the number of instructions we can use.

Download the new version from:

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 1st of
October, 2001. Patch is released.

            This release was brought to you by Defcom Labs   


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, LLC