what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

surgemailz.txt

surgemailz.txt
Posted Feb 25, 2008
Authored by Luigi Auriemma | Site aluigi.org

SurgeMail Mail Server version 38k4 and below and beta 39a along with Netwin's Webmail versions 3.1s and below are all susceptible to format string and buffer overflow vulnerabilities.

tags | advisory, overflow, vulnerability
SHA-256 | e952fa697baa5cd7cf0a4446ed1145fc6c1002df334d007bd01ff29eac866b6d

surgemailz.txt

Change Mirror Download

#######################################################################

Luigi Auriemma

Application: SurgeMail Mail Server
http://netwinsite.com/surgemail/
Netwin's WebMail
http://netwinsite.com/webmail/
Versions: SurgeMail <= 38k4 and beta 39a
Netwin's WebMail <= 3.1s (only bug A)
Platforms: Windows, Linux, FreeBSD, MacOSX and Solaris
Bugs: A] format string in webmail.exe's page command
B] buffer-overflow in the building of environment strings
Exploitation: remote
Date: 25 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


SurgeMail is a well known commercial multiplatform mail server which
supports many protocols.


#######################################################################

=======
2) Bugs
=======

----------------------------------------------
A] format string in webmail.exe's page command
----------------------------------------------

The CGI used for the handling of the webmail interface (webmail.exe) is
affected by a format string vulnerability in the function which builds
the error message when a wrong page is requested and passes it directly
to lvprintf without the needed format argument:

"TPL: Failed to Locate Template {c:\surgemail\webmail\panel\%s%s%s%s%s%s.tpl}{2=No such file or directory}"

Sample URL for exploiting the vulnerability:

http://SERVER/scripts/webmail.exe?page=%n%n%n%s%s%s%s


---------------------------------------------------------
B] buffer-overflow in the building of environment strings
---------------------------------------------------------

A buffer overflow vulnerability is located in the function which
handles the real CGI executables (which must be not confused with the
.cgi virtual files like user.cgi, admin.cgi and so on).
When the server receives a HTTP request for a real CGI (like for
example webmail.exe) it uses a buffer of about 20000 bytes for storing
all the environment strings which will be passed to the called program.
The HTTP fields passed by the client in his request are truncated at
200 bytes for the parameter and 800 for its value and are added as
environment variables (HTTP_parameter=value).
The lack of checks on the size of this environment buffer leads to a
buffer-overflow, anyway although is possible to control some registers
code execution is not certain.

Naturally both the surgemail and the swatch (port 7027) processes are
affected by this vulnerability.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/surgemailz.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


---
Luigi Auriemma
http://aluigi.org
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    0 Files
  • 5
    Mar 5th
    0 Files
  • 6
    Mar 6th
    0 Files
  • 7
    Mar 7th
    0 Files
  • 8
    Mar 8th
    0 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    0 Files
  • 12
    Mar 12th
    0 Files
  • 13
    Mar 13th
    0 Files
  • 14
    Mar 14th
    0 Files
  • 15
    Mar 15th
    0 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    0 Files
  • 19
    Mar 19th
    0 Files
  • 20
    Mar 20th
    0 Files
  • 21
    Mar 21st
    0 Files
  • 22
    Mar 22nd
    0 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    0 Files
  • 26
    Mar 26th
    0 Files
  • 27
    Mar 27th
    0 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close