lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri Dec 16 14:33:35 2005
From: FistFuXXer at gmx.de (FistFucker)
Subject: iDEFENSE Security Advisory 12.06.05: Ipswitch 

I know this problem since a while. It's a bug in 'SysLib.dll' that makes
calls to 'MSVCR71._vsnprintf' with user controlled data as format string.
'MSVCR71._vsnprintf' will only be called when SMTP logging is enabled and
it's disabled by default in IMail 8.21.

The following SMTP commands are affected:
  - HELO
  - EHLO
  - MAIL
  - RCPT
  - EXPN
  - AUTH CRAM-MD5 (encoded username)
  - AUTH LOGIN (encoded username)
  - AUTH PLAIN (encoded username)

I don't think it's exploitable because the user controlled string is many
thousand bytes away from the stack pointer and you can only send 512 bytes
to the SMTP daemon. This allows you to increase the stack pointer up to
2,032 bytes but the nearest user controlled memory location I could find was
still 11,840 bytes away from ESP. A memory access violation doesn't crash
the SMTP daemon but consumpts 100% CPU power.

If someone was able to exploit this, I would be interested in exploit code
or an explanation to learn from him.


-FistFucker (aka FistFuXXer)



----- Original Message ----- 
From: Chris Rogers
To: full-disclosure@...ts.grok.org.uk
Sent: Friday, December 16, 2005 9:23 AM
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch


It's an overflow in the _vsnprintf() function. As far as I've read, this
makes your options quite limited. You can only write to data pointers passed
to you through the va_args list of the function. As far as I've seen when
messing with this vulnerability, there are no potentials for overwrites. I
see no function pointers, only text data. Just attach a debugger to
ipswitch, and send MAIL FROM: %n%n%n%n%n%n@...n%n%n%n.com to cause a fault
in the debugger.
Chris
----- Original Message ----- 
From: "Owen Dhu" <0wnj00@...il.com>
To: <bugtraq@...urityfocus.com>; <vulnwatch@...nwatch.org>;
<full-disclosure@...ts.grok.org.uk>
Sent: Tuesday, December 13, 2005 11:07 AM
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
Collaboration Suite SMTP Format String Vulnerability


On 12/6/05, labs-no-reply@...fense.com <labs-no-reply@...fense.com> wrote:

> Ipswitch Collaboration Suite SMTP Format String Vulnerability
[...]
> Remote exploitation of a format string vulnerability in Ipswitch
> IMail allows remote attackers to execute arbitrary code.

Can iDEFENSE (or anyone else) elaborate on this? I have been working with
this for a little while and iMail doesn't seem to be exploitable in this
way.

TIA.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ