SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   DMail Vendors:   NetWin
NetWin DMail Bugs Let Remote Users Bypass Authentication and Potentially Execute
SecurityTracker Alert ID:  1013885
SecurityTracker URL:  http://securitytracker.com/id/1013885
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  May 4 2005
Impact:   Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, User access via network
Vendor Confirmed:  Yes  
Version(s): 3.1a NT
Description:   Tan Chew Keong of SIG^2 Vulnerability Research reported a vulnerability in NetWin DMail. A remote user can view log files, shutdown the mailing list service, and potentially execute arbitrary code.

A remote user can bypass the authentication process to access the mailing list server (dlist.exe). A remote user can view log files or shutdown the service.

A remote user can send specially crafted administration commands to 'dsmtp.exe' to trigger a format string flaw and potentially execute arbitrary code.

The vendor was notified on March 30, 2005.

The original advisory is available at:

http://www.security.org.sg/vuln/dmail31a.html

Impact:   A remote user can view mailing list log files.

A remote user can shutdown the mailing list service.

A remote user may be able to execute arbitrary code on the target system.

Solution:   No solution was available at the time of this entry.
Vendor URL:  netwinsite.com/ (Links to External Site)
Cause:   Authentication error, Input validation error, State error
Underlying OS:  Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  [SIG^2 G-TEC] NetWin DMail Server Two Vulnerabilities


SIG^2 Vulnerability Research Advisory

NetWin DMail Server Two Vulnerabilities

by Tan Chew Keong
Release Date: 03 May 2005


ADVISORY URL
http://www.security.org.sg/vuln/dmail31a.html


SUMMARY

NetWin DMail (http://netwinsite.com/dmail_first.htm) is an easy to 
install, high performance, reliable and scalable mail server. It can 
either be used as a small personal mail server or as a 10 Million user 
ISP mail system. Flexible authentication modules allow you to plug DMail 
into any existing user database. It includes many spam prevention 
mechanisms and the ability to run any of several virus checking packages 
of your choice.

An authentication bypass vulnerability was found in DMail's mailing list 
server (dlist.exe). This vulnerability may be remotely exploited to view 
logs generated by the mailing list server (dlist.exe) or to shut it 
down. The second is a format string vulnerability that exists in the 
admin commands of dsmtp.exe.


TESTED SYSTEM

DMail Version 3.1a NT (dm31b_win32.exe) on English Win2K SP4.


DETAILS

The NetWin DMail server package consists of the SMTP server (dsmtp.exe), 
the POP server (dpop.exe), the mailing list server (dlist.exe), and the 
GUI management tool (dmadmin.exe). The GUI management tool (dmadmin.exe) 
allows the administrator to manage the three servers and to retrieve 
live logs from them. dmadmin.exe sends admin commands to each of these 
three servers via their respective listening ports. dmadmin.exe must 
authenticate to these servers using an admin password (or password hash) 
when sending the admin commands.

This advisory document two vulnerabilities found in NetWin DMail server. 
The first is an authentication bypass vulnerability that was found in 
DMail's mailing list server (dlist.exe). This vulnerability may be 
remotely exploited by an attacker to view logs generated by the mailing 
list server (dlist.exe) or to shut it down without the need to know the 
admin password. The second is a format string vulnerability that exists 
in the admin commands of dsmtp.exe.


WORKAROUNDS

1) Block port 7111 with your firewall.
2) Set a strong admin password.


DISCLOSURE TIMELINE

17 Mar 05 - Vulnerability Discovered.
30 Mar 05 - Initial Vendor Notification (no reply).
05 Apr 05 - Second Vendor Notification.
05 Apr 05 - Initial Vendor Reply.
06 Apr 05 - Second Vendor Reply (will be uploading new versions this week).
22 Apr 05 - Status Check (no reply).
01 May 05 - Status Check (no reply).
03 May 05 - Public Release.


GREETINGS

All guys at SIG^2 G-TEC Lab
http://www.security.org.sg/webdocs/g-tec.html

"IT Security...the Gathering. By enthusiasts for enthusiasts."
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC