Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

def-2001-29

From: andreas junestam <andreas.junestam () defcom com>
Date: Fri, 12 Oct 2001 13:04:16 +0200
======================================================================
                  Defcom Labs Advisory def-2001-29

         Ipswitch Web Calendaring 7.04 Buffer Overflow

Author: Andreas Junestam <andreas () defcom com>
Release Date: 2001-10-12
======================================================================
------------------------=[Brief Description]=-------------------------
When sending a request to the Web Calender (port 8484) longer than 97
bytes, a overflow will occur and EIP will be overwritten. 

------------------------=[Affected Systems]=--------------------------
- Ipswitch Web Calendaring 7.04 and possibly earlier versions

----------------------=[Detailed Description]=------------------------
Sending a request like:
GET /'A' x 96 HTTP/1.0

Generates:
Access violation - code c0000005 (first chance)
eax=07777101 ebx=00c338d8 ecx=016f99ec edx=016f99ec esi=0000007e
edi=00000000 eip=61616161 esp=016f99fc ebp=61616161
61616161 ??               ???

This leaves us with the possibility to run code as SYSTEM. Mind though,
the server does a ToLower on the buffer BEFORE the overflow occours,
limiting the number of instructions we can use.
 
---------------------------=[Workaround]=-----------------------------

Download the new version from:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe

-------------------------=[Vendor Response]=--------------------------
This issue was brought to the vendors attention on the 1st of
October, 2001. Patch is released.

======================================================================
            This release was brought to you by Defcom Labs

        http://labs.defcom.com             http://www.defcom.com
======================================================================
Previous By Date Next
Previous By Thread Next

Current thread: