lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 21 Mar 2008 10:01:10 +0100
From: "infocus" <infocus@...igo.hr>
To: <full-disclosure@...ts.grok.org.uk>
Subject: [INFIGO-2008-03-07]: Surgemail 38k4 IMAP server
	remote stack overflow

                                            
            INFIGO IS Security Advisory #ADV-2008-03-07
                             http://www.infigo.hr/en/




Title: Surgemail 38k4 IMAP server remote stack overflow
Advisory ID: INFIGO-2008-03-07
Date: 2008-03-21
Advisory URL: http://www.infigo.hr/en/in_focus/advisories/INFIGO-2008-03-07
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote




==[ Overview

SurgeMail Mail Server Software Suite - combines advanced features, high
performance and ease of use. Works on Windows, UNIX (Linux, Solaris etc.),
Mac OSX, FreeBSD and others. Surgemail integrated email server is an
Antispam Server, Antivirus Server, Webmail Server, Groupware Server, 
Blog Server and much more. 



==[ Vulnerability

A remote vanilla stack overflow vulnerability exists in the Surgemail IMAP 
server. The vulnerability is caused due to a boundary error in the IMAP 
server, when processing overly long arguments of the 'LSUB' command.
The vulnerability results in a simple stack overflow condition that can be
trivially exploited.

Example:
a002 LSUB "//AA:" * 12000 + " " + "//AA:" * 21000 + "\r\n"



==[ Affected Version

The vulnerability has been identified in the latest available 38k4-4. 
It was tested on Windows XP SP2.



==[ Fix

The vendor released a new version that fixes the vulnerability available at
http://www.netwinsite.com/surgemail/.



==[ PoC Exploit

http://www.infigo.hr/files/surgemail.pl



==[ Vendor status

01.09.2008 - Initial contact
01.10.2008 - Initial vendor response
03.19.2008 - Vendor status update - Patch available
03.21.2008 - Coordinated public disclosure



==[ Credits

Vulnerability discovered by Leon Juranic <leon.juranic@...igo.hr>.



==[ INFIGO IS Security Contact

INFIGO IS,

WWW : http://www.infigo.hr/en/
E-mail : infocus@...igo.hr

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ