NetWin DMail Bugs Let Remote Users Bypass Authentication and Potentially Execute
SecurityTracker Alert ID: 1013885|
SecurityTracker URL: http://securitytracker.com/id/1013885
(Links to External Site)
Date: May 4 2005
Denial of service via network, Disclosure of system information, Execution of arbitrary code via network, User access via network|
Vendor Confirmed: Yes |
Version(s): 3.1a NT|
Tan Chew Keong of SIG^2 Vulnerability Research reported a vulnerability in NetWin DMail. A remote user can view log files, shutdown the mailing list service, and potentially execute arbitrary code.|
A remote user can bypass the authentication process to access the mailing list server (dlist.exe). A remote user can view log files or shutdown the service.
A remote user can send specially crafted administration commands to 'dsmtp.exe' to trigger a format string flaw and potentially execute arbitrary code.
The vendor was notified on March 30, 2005.
The original advisory is available at:
A remote user can view mailing list log files.|
A remote user can shutdown the mailing list service.
A remote user may be able to execute arbitrary code on the target system.
No solution was available at the time of this entry.|
Vendor URL: netwinsite.com/ (Links to External Site)
Authentication error, Input validation error, State error|
|Underlying OS: Windows (Any)|
Source Message Contents
Subject: [SIG^2 G-TEC] NetWin DMail Server Two Vulnerabilities|
SIG^2 Vulnerability Research Advisory
NetWin DMail Server Two Vulnerabilities
by Tan Chew Keong
Release Date: 03 May 2005
NetWin DMail (http://netwinsite.com/dmail_first.htm) is an easy to
install, high performance, reliable and scalable mail server. It can
either be used as a small personal mail server or as a 10 Million user
ISP mail system. Flexible authentication modules allow you to plug DMail
into any existing user database. It includes many spam prevention
mechanisms and the ability to run any of several virus checking packages
of your choice.
An authentication bypass vulnerability was found in DMail's mailing list
server (dlist.exe). This vulnerability may be remotely exploited to view
logs generated by the mailing list server (dlist.exe) or to shut it
down. The second is a format string vulnerability that exists in the
admin commands of dsmtp.exe.
DMail Version 3.1a NT (dm31b_win32.exe) on English Win2K SP4.
The NetWin DMail server package consists of the SMTP server (dsmtp.exe),
the POP server (dpop.exe), the mailing list server (dlist.exe), and the
GUI management tool (dmadmin.exe). The GUI management tool (dmadmin.exe)
allows the administrator to manage the three servers and to retrieve
live logs from them. dmadmin.exe sends admin commands to each of these
three servers via their respective listening ports. dmadmin.exe must
authenticate to these servers using an admin password (or password hash)
when sending the admin commands.
This advisory document two vulnerabilities found in NetWin DMail server.
The first is an authentication bypass vulnerability that was found in
DMail's mailing list server (dlist.exe). This vulnerability may be
remotely exploited by an attacker to view logs generated by the mailing
list server (dlist.exe) or to shut it down without the need to know the
admin password. The second is a format string vulnerability that exists
in the admin commands of dsmtp.exe.
1) Block port 7111 with your firewall.
2) Set a strong admin password.
17 Mar 05 - Vulnerability Discovered.
30 Mar 05 - Initial Vendor Notification (no reply).
05 Apr 05 - Second Vendor Notification.
05 Apr 05 - Initial Vendor Reply.
06 Apr 05 - Second Vendor Reply (will be uploading new versions this week).
22 Apr 05 - Status Check (no reply).
01 May 05 - Status Check (no reply).
03 May 05 - Public Release.
All guys at SIG^2 G-TEC Lab
"IT Security...the Gathering. By enthusiasts for enthusiasts."