SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Calendar)  >   IMail Server Vendors:   Ipswitch
Ipswitch's IMail Server's Web Calendaring Function Has Buffer Overflow That Lets Remote Users Execute Arbitrary Code with System Level Privileges
SecurityTracker Alert ID:  1002540
SecurityTracker URL:  http://securitytracker.com/id/1002540
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Oct 12 2001
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  Exploit Included:  Yes  
Version(s): IMail Server 7.04 Web Calendaring Function; possibly earlier versions
Description:   Defcom Labs warned of a buffer overflow vulnerability in Ipswitch's IMail Server's Web Calendaring function. A remote user can execute arbitrary code with System level privileges.

A remote user can send a request to the Web Calendar function that is longer than 97 bytes to trigger a buffer overflow, overwrite the EIP, and execute arbitrary code. The code will run with System level privileges

An HTTP request such as the following will cause a buffer overflow with EIP rewritten to 61616161:

GET /'A' x 96 HTTP/1.0

It is reported that the server performs a 'ToLower' on the buffer before the overflow occurs, so the number of instructions that can be supplied is limited.

Impact:   A remote user can execute arbitrary code on the server with System level privileges.
Solution:   A new version is reportedly available at:

ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe

Vendor URL:  www.ipswitch.com/products/IMail_Server/web_calendaring.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000)

Message History:   None.


 Source Message Contents

Subject:  def-2001-29


======================================================================
                  Defcom Labs Advisory def-2001-29

         Ipswitch Web Calendaring 7.04 Buffer Overflow

Author: Andreas Junestam <andreas@defcom.com>
Release Date: 2001-10-12
======================================================================
------------------------=[Brief Description]=-------------------------
When sending a request to the Web Calender (port 8484) longer than 97
bytes, a overflow will occur and EIP will be overwritten. 

------------------------=[Affected Systems]=--------------------------
- Ipswitch Web Calendaring 7.04 and possibly earlier versions

----------------------=[Detailed Description]=------------------------
Sending a request like:
GET /'A' x 96 HTTP/1.0

Generates:
Access violation - code c0000005 (first chance)
eax=07777101 ebx=00c338d8 ecx=016f99ec edx=016f99ec esi=0000007e
edi=00000000 eip=61616161 esp=016f99fc ebp=61616161
61616161 ??               ???

This leaves us with the possibility to run code as SYSTEM. Mind though,
the server does a ToLower on the buffer BEFORE the overflow occours,
limiting the number of instructions we can use.
 
---------------------------=[Workaround]=-----------------------------

Download the new version from:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 1st of
October, 2001. Patch is released.

======================================================================
            This release was brought to you by Defcom Labs

        http://labs.defcom.com             http://www.defcom.com
======================================================================

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC