[1][USEMAP:frame_r1_c1.gif]   [frame_r1_c3.gif]
   [2]Japanese
   
   SNS Advisory
   [title2_r1_c1.gif]
   
   [3][GoIndex.gif] [4][GoBack.gif] 
   
                                     16
                                      
   [5][GoNext.gif] [6]Japanese Edition
   
   SNS Advisory No.16
   Denshin-8-go Buffer Overflow Vulnerability 
   
   Problem first discovered: 24 Aug 2000
   Published: 25 Aug 2000
   Last Updated: 25 Aug 2000
     _________________________________________________________________
   
   Overview:
   
   A buffer overflow vulnerability exists in Denshin-8-go.
   
   Problem Description:
   
   Denshin-8-go is MUA(Mail User Agent) for Windows 95/98/NT4.0 that
   supports POP3/SMTP. Buffer Overflow occurs in Denshin-8-go when it
   receives an e-mail message with a "From" header containing about 450
   characters. As a result, this vulnerability could allow an attacker to
   execute arbitrary commands on the client machine.
   
   Successful exploitation of this vulnerability could lead to further
   compromises of the victim's security such as embedding viruses or
   backdoors, disclosure of sensitive files and corrupting the disk.
   
   SNS Team has made a code that sends full contents of "IN.FLD", stored
   e-mail messages as text files, to an outside FTP server. This code
   will make an e-mail message containing an unusually long "From" header
   and shell code. Buffer overflow will occur when the e-mail message is
   received by Denshin-8-go, and arbitrary command will be executed.
   
     
     
                                 [16_1.gif]
     
                      Fig1: Receiving an e-mail message
     
                                 [16_2.gif]
     
         Fig2: Execution of arbitrary command(all e-mail messages in
                        "IN.FLD" sends to FTP server)
     
     Affected Version:
     
     Denshin-8-go V321.2b6-stable and earlier
     
     Status of Fix:
     
     The problem was fixed in V32.1.3.1. More details are available at:
     
     [7]http://denshin8.esprix.net/den8bugs.html (Japanese only)
     
     Relevant URL:
     
     Denshin-8-go official Web Site:
     
     [8]http://denshin8.esprix.net/
     
     Disclaimer:
     
     All information in these advisories are subject to change without
     any advanced notices neither mutual consensus, and each of them is
     released as it is. LAC Co.,Ltd. is not responsible for any risks of
     occurrences caused by applying those information.
     _________________________________________________________________
   
     Copyright(c) 1995-2002 Little eArth Corporation

References

   1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/16_e.html#r1_c1Map
   2. http://www.lac.co.jp/security/index.html
   3. http://www.lac.co.jp/security/english/snsadv_e/index.html
   4. http://www.lac.co.jp/security/english/snsadv_e/15_e.html
   5. http://www.lac.co.jp/security/english/snsadv_e/17_e.html
   6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/16.html
   7. http://denshin8.esprix.net/den8bugs.html
   8. http://denshin8.esprix.net/