[22372] in bugtraq
AVTronics InetServer DoS and BoF Vulnerabilities
daemon@ATHENA.MIT.EDU (SNS Research)
Wed Aug 22 13:40:03 2001
Date: Wed, 22 Aug 2001 19:05:45 +0200
From: SNS Research <vuln-dev@greyhack.com>
Reply-To: SNS Research <vuln-dev@greyhack.com>
Message-ID: <711686494.20010822190545@greyhack.com>
To: bugtraq <bugtraq@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Strumpf Noir Society Advisories
! Public release !
<--#
-= AVTronics InetServer DoS and BoF Vulnerabilities =-
Release date: Wednesday, August 22, 2001
Introduction:
AVTronics InetServer is a freeware product suite for MS Windows,
bundling such services as SMTP, POP3, Daytime and Telnet in 1 product.
InetServer is available from: http://www.avtronics.net
Problem(s):
As so many products offering this, the optional webmail interface
bundled with this product features some flaws which could severly
degrade system security.
Denial of Service
If the port on which the webmail daemon listens receives a buffer of
+/- 800 bytes or more the InetServer process will die. This could be
(ab)used to execute a Denial of Service attack against the server.
WWW-Authentication buffer overflows
The second problem enjoys the same basis as the DoS, being the webmail
interface, but poses a more severe threat to the system since the
contents of the buffer is written straight onto and over eip.
Typically, when a user intends to access his/her mailbox through the
webmail interface, this is done through a url constructed as such:
http://server:port/username
Following a basic WWW-Authentication (where the Realm is 'username')
the user is then taken into the specified mailbox. The problem lies
in the handling of the information provided to the server by the
browser during this WWW-Authentication. In certain cases, the username
and password combined can compose a buffer to smash eip.
For example:
username: 140 byte username and
password: 140 byte password
will overflow the buffer. Eip is overwritten by the last 4 chars of the
password buffer. The same goes for other combinations as say for example
a 700 byte username and a 20 byte password.
Since WWW-Authentication is triggered through any 'username' following
the location of the webmail interface, no prior knowledge of existing
usernames is necessary to successfully complete this attack.
(..)
Solution:
Vendor has been notified. At the moment we are not aware of any
forthcoming fixes.
This was tested against InetServer 3.2.1 and 3.1.1 on Win2k. Earlier
versions are expected to be vulnerable.
yadayadayada
Free sk8! (http://www.freesk8.org)
SNS Research is rfpolicy (http://www.wiretrip.net/rfp/policy.html)
compliant, all information is provided on AS IS basis.
EOF, but Strumpf Noir Society will return!
