[1][USEMAP:frame_r1_c1.gif]   [frame_r1_c3.gif]
   [2]Japanese
   
   SNS Advisory
   [title2_r1_c1.gif]
   
   [3][GoIndex.gif] [4][GoBack.gif] 
   
                                     41
                                      
   [5][GoNext.gif] [6]Japanese Edition
   
   SNS Advisory No.41
   iPlanet Messaging Server 5.1 (evaluation copy) Buffer Overflow
   Vulnerability
   
   Problem first discovered: 6 Aug 2001
   Published: Fri, 31 Aug 2001
     _________________________________________________________________
   
   Overview:
   
   Netscape Administration Server, provided by iPlanet Messaging Server
   5.0 as a console program for administration, has a buffer overflow
   vulnerability. It allows remote users to execute arbitrary commands
   with SYSTEM privilege.
   
   Problem Description: 
   
   iPlanet Messaging Server is designed to provide SMTP, IMAP4, POP3 and
   Web-based mail services. Basic authorization is required when editing
   user information registered on the server, then supplied username and
   password are sent to the server after being base64 encoded. If long
   strings are included in username, then ns-admin.exe, which is binary
   of Netscape Administration Server, will overflow. Therefore, this
   vulnerability allows remote users to execute arbitrary commands with
   SYSTEM privilege.
   
   Example of Exploit:
   
                                 [41_1.gif]
   
              Fig1: Administration Server basic authorization
   
                                 [41_2.gif]
   
                 Fig2: Backdoor created on the target host
   
                                [41_3.gif] 
   
                Fig3: To connect to the Backdoor of TCP port
   
   
     Tested Version:
     
     iPlanet Messaging Server 5.1 evaluation copy
     
     Tested OS:
     
     Windows NT 4.0 Server + SP6a [English]
     
     Solution:
     
     However, iPlanet has not commented on this problem because they do
     not offer the technical support for evaluation copy under any
     circumstances. It is strongly recommended that you set up access
     control of Administration Server to deny access to servers, in
     which iPlanet Messaging Server is installed by non-trusted users.
     After setting up, unauthorized hosts cannot have access to the web
     site for editing user information.
     
     Discovered by:
     
     SNS Team (LAC / [7]snsadv@lac.co.jp)
     
     Disclaimer:
     
     All information in these advisories are subject to change without
     any advanced notices neither mutual consensus, and each of them is
     released as it is. LAC Co.,Ltd. is not responsible for any risks of
     occurrences caused by applying those information.
     _________________________________________________________________
   
     Copyright(c) 1995-2002 Little eArth Corporation

References

   1. LYNXIMGMAP:http://www.lac.co.jp/security/english/snsadv_e/41_e.html#r1_c1Map
   2. http://www.lac.co.jp/security/index.html
   3. http://www.lac.co.jp/security/english/snsadv_e/index.html
   4. http://www.lac.co.jp/security/english/snsadv_e/40_e.html
   5. http://www.lac.co.jp/security/english/snsadv_e/42_e.html
   6. http://www.lac.co.jp/security/intelligence/SNSAdvisory/41.html
   7. mailto:snsadv@lac.co.jp