From CST@CERBERUS-INFOSEC.CO.UK Mon Jul 10 02:36:22 2000 From: Cerberus Security Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Wed, 17 May 2000 15:33:20 +0100 Subject: Alert: Buffer overflow in Rockliffe's MailSite [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] Cerberus Information Security Advisory (CISADV000524a) http://www.cerberus-infosec.co.uk/advisories.shtml Released : 24th May 2000 Name : Rockliffe Mailsite Buffer Overflow Affected Systems : Windows NT running MailSite-HTTPMA/4.2.1.0 Issue : Remote attackers can execute arbitrary code Author : David Litchfield (mnemonix@globalnet.co.uk) Description *********** The Cerberus Security Team has discovered a serious security flaw with Rockliffe's MailSite Management Agent (version 4.2.1.0). This server allows remote users to access their POP3 accounts and read their mail over HTTP. The service usually listens on TCP port 90. Unfortunately there exists a buffer overrun vulnerability that allows attackers to execute arbitrary code. As this service runs as system, by default, any code executed will run with system privileges - meaning any server running this agent could be fully compromised. Details ******* The HTTPMA agent listens on port 90 and requests are made through wconsole.dll like a standard HTTP request: GET /cgi-bin/wconsole.dll?query_string\n\n If the query_string is over 240 bytes a buffer is overflowed, overwriting the saved return address thus gaining control of the program's execution. This is done by overwriting this address with another address in memory that contains a JMP ESP or CALL ESP instruction. The remainder of the buffer can be found here and when the JMP or CALL is performed the program executes the code found at the top of the stack. Solution: ********* The vendor has fixed this in their latest version 4.2.2 and is available from their web site http://www.rockliffe.com . Cerberus recommends that customers upgrade as soon as possible. Vendor Status ************* Rockliffe were informed about this earlier this month and they have now patched this in v4.2.2. Cerberus would like to thank Rockliffe for their prompt response in addressing this issue. About Cerberus Information Security, Ltd ***************************************** Cerberus Information Security, Ltd, a UK company, are specialists in penetration testing and other security auditing services. They are the developers of CIS (Cerberus' Internet security scanner) available for free from their website: http://www.cerberus-infosec.co.uk To ensure that the Cerberus Security Team remains one of the strongest security audit teams available globally they continually research operating system and popular service software vulnerabilites leading to the discovery of "world first" issues. This not only keeps the team sharp but also helps the industry and vendors as a whole ultimately protecting the end consumer. As testimony to their ability and expertise one just has to look at exactly how many major vulnerabilities have been discovered by the Cerberus Security Team - over 70 to date, making them a clear leader of companies offering such security services. Founded in late 1999, by Mark and David Litchfield, Cerberus Information Security, Ltd are located in London, UK but serves customers across the World. For more information about Cerberus Information Security, Ltd please visit their website or call on +44(0)208 395 4980. Permission is hereby granted to copy or redistribute this advisory but only in its entirety. Copyright (C) 2000 by Cerberus Information Security, Ltd