SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   QwikMail Vendors:   qwikmail.sourceforge.net
QwikMail Format String Flaw Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1012016
SecurityTracker URL:  http://securitytracker.com/id/1012016
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 1 2004
Impact:   Execution of arbitrary code via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 0.3
Description:   A format string vulnerability was reported in QwikMail. A remote user can execute arbitrary code.

Unl0ck Team reported that 'qwik-smtpd.c' makes a fprintf() call based on user-supplied input without supplying the proper format string characters and without validating the input. A remote user can connect to the target SMTP server and send specially crafted input to trigger the flaw and cause arbitrary code to be executed on the target system.

The report credits Dark Eagle with discovering this flaw.

The original advisory is available at:

http://unl0ck.info/advisories/qwik-smtpd.txt

Impact:   A remote user can execute arbitrary code with the privileges of the target SMTP service.
Solution:   The vendor has issued a patch, available at:

http://qwikmail.sourceforge.net/smtpd/qwik-smtpd-0.3.patch

Vendor URL:  qwikmail.sourceforge.net/ (Links to External Site)
Cause:   Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC