[15051] in bugtraq
DST2K0003 : Buffer Overrun in NAI WebShield SMTP v4.5.44 Managem
daemon@ATHENA.MIT.EDU (Security Team)
Thu May 25 15:18:33 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <6C740781F92BD411831F0090273A8AB806FD4A@exchange.servers.delphis.net>
Date: Thu, 25 May 2000 17:40:13 +0100
Reply-To: Security Team <securityteam@DELPHISPLC.COM>
From: Security Team <securityteam@DELPHISPLC.COM>
X-To: "win2ksecadvice@LISTSERV.NTSECURITY.NET"
<win2ksecadvice@LISTSERV.NTSECURITY.NET>,
"NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM"
<NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
"BUGTRAQ@SECURITYFOCUS.COM" <BUGTRAQ@SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
> ==========================================================================
> ======
> Delphis Consulting Plc
> ==========================================================================
> ======
>
> Security Team Advisories
> [08/05/2000]
>
>
> securityteam@delphisplc.com
>
> ==========================================================================
> ======
> Adv : DST2K0003
> Title : Buffer Overrun in NAI WebShield SMTP v4.5.44 Management Tool
> Author : DCIST (securityteam@delphisplc.com)
> O/S : Microsoft Windows NT v4.0 Server (SP6)
> Product : NAI WebShield SMTP v4.5.44
> Date : 08/05/2000
>
> I. Description
>
> II. Solution
>
> III. Disclaimer
> ==========================================================================
> ======
>
>
> I. Description
> ==========================================================================
> ======
>
> Delphis Consulting Internet Security Team (DCIST) discovered the following
> vuln-
> erability in the NAI Management Agent for WebShield SMTP under Windows NT.
>
> Firstly telneting to a machine which runs the management agent on port
> 9999 will
> allow you to gain the current configuration by executing the command
> below.
>
> GET_CONFIG<CR>
>
> Secondly if you pass an oversized buffer of 208 bytes or more within one
> of the
> configuration parameters (there may be more) the service will crash
> overwriting
> the stack but and the EIP (208 + 4) with what ever was passed within the
> parameter.
>
> SET_CONFIG<CR>
> Quarantine_Path='Ax208'+ EIP
>
> This enables an attack to execute arbitrary code on host server inheriting
> the
> permissions of account of which the service was running as.
>
>
> II. Solution
> ==========================================================================
> ======
>
> Vendor Contacted: 8-May-2000
>
> Currently there is no vendor patch available but the following are
> preventative
> measures Delphis Consulting Internet Security Team would advise users
> running
> this service to implement the following.
>
> o Don't allow the service to run as SYSTEM but as a restricted user
> account.
> o Access list port 9999 on the local router or firewall to restrict access
> to only required machines.
> o Stop the management service.
>
>
> III. Disclaimer
> ==========================================================================
> ======
> THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT
> THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS
> OR
> IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE
> PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
> CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR
> RELIANCE
> PLACED ON, THIS INFORMATION FOR ANY PURPOSE.
> ==========================================================================
> ======
>
