Bugtraq mailing list archives
Alert: DMailWeb buffer overflow
From: CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)
Date: Thu, 4 May 2000 02:10:47 +0100
Cerberus Information Security Advisory (CISADV000504) http://www.cerberus-infosec.co.uk/advisories.shtml Released: 4th May 2000 Name: Dmailweb Buffer Overflow Affected Systems : *nix/Win32 Web Servers running Issue: Attackers can remotely execute arbitrary code Author: David Litchfield (mnemonix () globalnet co uk) Description *********** The Cerberus Security Team has found a remotely exploitable buffer overrun in Netwin's (http://netwinsite.com) DMailWeb (dmailweb/dmailweb.exe v2.5d), CGI program designed to give access to a user's SMTP and POP3 server over the world wide web. By supplying a specially formed QUERY_STRING to the program a buffer is overflowed allowing execution of arbitrary code compromising the web server. Details ******* The problem stems from an overly long "utoken" parameter. This overflow is simple to exploit by overwriting the saved return address with an address that contains a "jmp esp" or "call esp" - the remainder of the the QUERY_STRING is pointed to by the ESP. Over 1400 bytes is available for exploit code. Solution ******** Netwin has made available a patch for this available from their ftp server: ftp://ftp.netwinsite.com/pub/dmailweb/beta/ Obtain the 2.5e version required for your system. A check for this has been added to our security scanner, CIS. More details about CIS can be found on our web site: http://www.cerberus-infosec.co.uk/ Vendor Status ************* Netwin were alerted to this on the 3rd May 2000. Cerberus would like to thank everyone involved for their prompt response. About Cerberus Information Security, Ltd ***************************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 70 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0)208 395 4980. Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd
Current thread:
- ILOVEYOU worm Elias Levy (May 04)
- Formated and commented loveletter. The Hidden (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Alert: Listserv Web Archives (wa) buffer overflow Cerberus Security Team (May 03)
- Reminder: MaxClientRequestBuffer Marc (May 03)
- Internet Security Systems Security Advisory: Vulnerability in Quake3Arena Auto-Download Feature Aleph One (May 03)
- Alert: DMailWeb buffer overflow Cerberus Security Team (May 03)
- Security Bulletins Digest (fwd) Justin Tripp (May 04)
- Aladdin eToken 3.3.3.x Hardware USB Key Private Data Extraction Kingpin (May 04)
- Trend Micro InterScan VirusWall Remote Overflow NAI Labs (May 04)
- How we defaced www.apache.org Peter van Dijk (May 04)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Mac OS X Signature Omachonu Ogali (May 03)
- Re: IL0VEY0U worm Elias Levy (May 05)
- Re: IL0VEY0U worm Elias Levy (May 04)
- Re: ILOVEYOU worm Jaanus Kase (May 04)