[28145] in bugtraq
Unchecked buffer in PC-cillin
daemon@ATHENA.MIT.EDU (advisories@texonet.com)
Tue Dec 10 12:30:20 2002
From: advisories@texonet.com (advisories@texonet.com)
Message-ID: <007601c2a03b$f2a290d0$af00a8c0@fux0rlappy>
To: <bugtraq@securityfocus.com>
Date: Tue, 10 Dec 2002 12:04:43 +0100
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_006F_01C2A044.5313C4E0"
------=_NextPart_000_006F_01C2A044.5313C4E0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
----------------------------------------------------------------------------
-
Texonet Security Advisory 20021210
----------------------------------------------------------------------------
-
Advisory ID : TEXONET-20021210
Authors : Joel Soderberg and Christer Oberg (advisories@texonet.com)
Issue date : 12-10-2002
Application : PC-cillin (OfficeScan Corp. Edition 5.02)
Version(s) : 2000, 2002 and 2003
Platforms : Windows 98/ME/2000/XP
Availability : http://www.texonet.com/advisories/TEXONET-20021210.txt
----------------------------------------------------------------------------
-
Problem:
----------------------------------------------------------------------------
-
PC-cillin has an unchecked buffer in pop3trap.exe
Description:
----------------------------------------------------------------------------
-
PC-cillin comes with a mail scanning feature that scans all incoming mail
for
viruses, this is accomplished by connecting the mail client to a local
service
listening on port 110 (pop3). This service is only listening for connections
from the local machine and acts as a proxy. The program running this service
is pop3trap.exe. Connecting to the local port 110 and sending a lot of
characters will crash the program with a direct hit on the EIP, this makes
it
possible to run malicious code. The code will be run using the privileges of
the user owning the pop3trap.exe process.
Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110
Example 2: http://127.0.0.1:110/[put 1100 a's here]
Workaround:
----------------------------------------------------------------------------
-
Download the appropriate Service Pack from:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982
Disclosure Timeline:
----------------------------------------------------------------------------
-
11/14/2002: Vendor notified by e-mail
11/15/2002: Standard support reply received from vendor
11/15/2002: Requested contact information from vendor
11/15/2002: Reply received from vendor with contact recommendations
11/15/2002: Advisory sent in accordance to vendors recommendations
11/21/2002: Vendor has verified the issue and is working on the solution
12/10/2002: Issue released to the public
About Texonet:
----------------------------------------------------------------------------
-
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.
Contacting Texonet:
----------------------------------------------------------------------------
-
E-mail: advisories@texonet.com
Homepage: http://www.texonet.com/
Phone: +46-8-55174611
------=_NextPart_000_006F_01C2A044.5313C4E0
Content-Type: text/plain;
name="TEXONET-20021210.txt"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="TEXONET-20021210.txt"
-------------------------------------------------------------------------=
----
Texonet Security Advisory 20021210
-------------------------------------------------------------------------=
----
Advisory ID : TEXONET-20021210=20
Authors : Joel Soderberg and Christer Oberg =
(advisories@texonet.com)
Issue date : 12-10-2002
Application : PC-cillin (OfficeScan Corp. Edition 5.02)
Version(s) : 2000, 2002 and 2003
Platforms : Windows 98/ME/2000/XP
Availability : http://www.texonet.com/advisories/TEXONET-20021210.txt
-------------------------------------------------------------------------=
----
Problem:
-------------------------------------------------------------------------=
----
PC-cillin has an unchecked buffer in pop3trap.exe
Description:
-------------------------------------------------------------------------=
----
PC-cillin comes with a mail scanning feature that scans all incoming =
mail for
viruses, this is accomplished by connecting the mail client to a local =
service
listening on port 110 (pop3). This service is only listening for =
connections
from the local machine and acts as a proxy. The program running this =
service=20
is pop3trap.exe. Connecting to the local port 110 and sending a lot of=20
characters will crash the program with a direct hit on the EIP, this =
makes it=20
possible to run malicious code. The code will be run using the =
privileges of=20
the user owning the pop3trap.exe process.
Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110
Example 2: http://127.0.0.1:110/[put 1100 a's here]
Workaround:
-------------------------------------------------------------------------=
----
Download the appropriate Service Pack from:
http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=3D12982
Disclosure Timeline:
-------------------------------------------------------------------------=
----
11/14/2002: Vendor notified by e-mail
11/15/2002: Standard support reply received from vendor
11/15/2002: Requested contact information from vendor
11/15/2002: Reply received from vendor with contact recommendations
11/15/2002: Advisory sent in accordance to vendors recommendations=20
11/21/2002: Vendor has verified the issue and is working on the solution
12/10/2002: Issue released to the public
About Texonet:
-------------------------------------------------------------------------=
----
Texonet is a Swedish based security company with a focus on penetration=20
testing / security assessments, research and development.
Contacting Texonet:
-------------------------------------------------------------------------=
----
E-mail: advisories@texonet.com
Homepage: http://www.texonet.com/
Phone: +46-8-55174611
------=_NextPart_000_006F_01C2A044.5313C4E0--
