From securityteam@DELPHISPLC.COM Mon Jul 10 02:43:21 2000 From: Security Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 8 Jun 2000 14:20:05 +0100 Subject: DST2K0011: DoS & BufferOverrun in CMail v2.4.7 WebMail [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] > ========================================================================== > ====== > Delphis Consulting Plc > ========================================================================== > ====== > > Security Team Advisories > [05/06/2000] > > > securityteam@delphisplc.com > [http://www.delphisplc.com/thinking/whitepapers/] > > ========================================================================== > ====== > Adv : DST2K0011 > Title : DoS & BufferOverrun in CMail v2.4.7 WebMail > Author : DCIST (securityteam@delphisplc.com) > O/S : Microsoft Windows NT v4.0 Workstation (SP6) > Product : CMail v2.4.7 > Date : 05/06/2000 > > I. Description > > II. Solution > > III. Disclaimer > > > ========================================================================== > ====== > > > I. Description > ========================================================================== > ====== > > Vendor URL: http://www.computalynx.net/ > > Delphis Consulting Internet Security Team (DCIST) discovered the following > vulnerabilities in the CMail Server under Windows NT. > > Severity: med > > The web interface of CMail which resides by default on port 8002 can be > used > to consume 95% of CPU time in two locations. By default the New user > creation > option is disabled even though this is the case it is possible to enter > long > username of 196k which will cause the CMail process to site at 91 - 95% > CPU > time. This is only temporary as the process seems to release the CPU after > as of yet undefined amount of time. > > Severity: high > > The web server which drives the web interface of CMail it is possible to > cause > a Buffer overrun in NTDLL.DLL overwriting the EIP allowing the execution > of > arbitry code. This is done be connecting to port 8002 which the service > resides > on by default and sending a large GET string. The string has to be a > length of > 428 + EIP (4 bytes) making a total of 432 bytes. > > It should be noted that NTDLL is authored by ComputaLynx and not > Mircosoft. > > > II. Solution > ========================================================================== > ====== > > Vendor Status: Informed > > Currently there is no known solution to the problem. > > III. Disclaimer > ========================================================================== > ====== > THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT > THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS > OR > IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE > PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR > CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR > RELIANCE > PLACED ON, THIS INFORMATION FOR ANY PURPOSE. > ========================================================================== > ======