SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   IMail Server Vendors:   Ipswitch
(Vendor Issues Fix) Re: Ipswitch IMail Server Buffer Overflow in Web Messaging Daemon Lets Remote Users Execute Arbitrary Code and Gain System Level Access
SecurityTracker Alert ID:  1004928
SecurityTracker URL:  http://securitytracker.com/id/1004928
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 1 2002
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.11 HF1 and prior versions
Description:   A buffer overflow vulnerability was reported in Ipswitch's IMail Server. A remote user can execute arbitrary code on the server with System level privileges.

The buffer overflow is reported in the Web Messaging daemon in the GET parameter using the HTTP/1.0 specification. The vulnerability is apparently not present when using the HTTP/0.9 and HTTP/1.1 specifications.

A remote user can send a GET request with the following contents to trigger the flaw:

<96 bytes><EBP><EIP>

According to the report, several code redirections are required to get the ESP register to point to the arbitrary code in the payload. A demonstration exploit is provided in the Source Message.

[Editor's note: The vendor has been unable to confirm this vulnerability and believes that the exploit is suspect and the patch may open up a hole. The author of the original report has reiterated that the vulnerability is real. See the Message History for more details.]

Impact:   A remote user can execute arbitrary code with System level privileges.
Solution:   The vendor has issued a fixed version (7.12), available at:

http://ipswitch.com/Support/IMail/patch-upgrades.html

The release notes are available at:

http://support.ipswitch.com/kb/IM-20020731-DM02.htm

Vendor URL:  www.ipswitch.com/products/IMail_Server/index.html (Links to External Site)
Cause:   Boundary error
Underlying OS:  Windows (NT), Windows (2000), Windows (XP)

Message History:   This archive entry is a follow-up to the message listed below.
Jul 26 2002 Ipswitch IMail Server Buffer Overflow in Web Messaging Daemon Lets Remote Users Execute Arbitrary Code and Gain System Level Access



 Source Message Contents

Subject:  Re: IPSwitch IMail ADVISORY/EXPLOIT/PATCH


Today Ipswitch released IMail Version 7.12 which solve the buffer
overflow bug in the Web Messaging Daemon.

IMail Version 7.12 Relase Notes:
http://support.ipswitch.com/kb/IM-20020731-DM02.htm

Download:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail712.exe

-- 
Tom Fischer                              Tom.Fischer@rus.uni-stuttgart.de
RUS-CERT University of Stuttgart       Tel:+49 711 685-8076 / -5898 (fax)
Allmandring 30, D-70550 Stuttgart           http://cert.uni-stuttgart.de/

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC