Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Format string and buffer-overflow in SurgeMail 38k4

from [Luigi Auriemma] Network Security [Permanent Link]
Subject: [Full-disclosure] Format string and buffer-overflow in SurgeMail 38k4
Date: Mon, 25 Feb 2008 21:02:21 +0100 

#######################################################################

                             Luigi Auriemma

Application:  SurgeMail Mail Server
                http://netwinsite.com/surgemail/
              Netwin's WebMail
                http://netwinsite.com/webmail/
Versions:     SurgeMail <= 38k4 and beta 39a
              Netwin's WebMail <= 3.1s (only bug A)
Platforms:    Windows, Linux, FreeBSD, MacOSX and Solaris
Bugs:         A] format string in webmail.exe's page command
              B] buffer-overflow in the building of environment strings
Exploitation: remote
Date:         25 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


SurgeMail is a well known commercial multiplatform mail server which
supports many protocols.


#######################################################################

=======
2) Bugs
=======

----------------------------------------------
A] format string in webmail.exe's page command
----------------------------------------------

The CGI used for the handling of the webmail interface (webmail.exe) is
affected by a format string vulnerability in the function which builds
the error message when a wrong page is requested and passes it directly
to lvprintf without the needed format argument:

  "TPL: Failed to Locate Template 
{c:\surgemail\webmail\panel\%s%s%s%s%s%s.tpl}{2=No such file or directory}"

Sample URL for exploiting the vulnerability:

  http://SERVER/scripts/webmail.exe?page=%n%n%n%s%s%s%s


---------------------------------------------------------
B] buffer-overflow in the building of environment strings
---------------------------------------------------------

A buffer overflow vulnerability is located in the function which
handles the real CGI executables (which must be not confused with the
.cgi virtual files like user.cgi, admin.cgi and so on).
When the server receives a HTTP request for a real CGI (like for
example webmail.exe) it uses a buffer of about 20000 bytes for storing
all the environment strings which will be passed to the called program.
The HTTP fields passed by the client in his request are truncated at
200 bytes for the parameter and 800 for its value and are added as
environment variables (HTTP_parameter=value).
The lack of checks on the size of this environment buffer leads to a
buffer-overflow, anyway although is possible to control some registers
code execution is not certain.

Naturally both the surgemail and the swatch (port 7027) processes are
affected by this vulnerability.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/surgemailz.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Format string and buffer-overflow in SurgeMail 38k4, Luigi Auriemma <=
Previous by Date:  [Full-disclosure] CORE-2007-0930 Path Traversal vulnerability in VMware's shared folders implementation, Core Security Technologies Advisories
Next by Date:  [Full-disclosure] NULL pointer in SurgeFTP 2.3a2, Luigi Auriemma
Previous by Thread:  [Full-disclosure] CORE-2007-0930 Path Traversal vulnerability in VMware's shared folders implementation, Core Security Technologies Advisories
Next by Thread:  [Full-disclosure] NULL pointer in SurgeFTP 2.3a2, Luigi Auriemma
Indexes:  [Date] [Thread] [Top] [All Lists]