Title: Multiple vulnerabilities in JanaServer
Author: ZARAZA <[email protected]>
Date: July, 22 2002
Affected: JanaServer 2.2.1 and prior
JanaServer 1.46 and prior
Vendor: Thomas Hauck <[email protected]>
Risk: High (critical if some services, for example
HTTP, are available from public interface)
Remote: yes
Exploitable: yes
Vendor notified: July, 18 2002
Product URL: http://www.janaserver.com
SECURITY.NNOV URL: http://www.security.nnov.ru
Advanced info: http://www.security.nnov.ru/search/news.asp?binid=2171
I. Introduction:
Janaserver is Internet gateway software for Windows platform can act as
HTTP/FTP/NEWS/SNTP server, SOCKS4/SOCKS5/HTTP/FTP/TELNET/Real Audio
proxy, E-mail gateway and port mapper. JanaServer up to 1.46 was
freeware, JanaServer 2.0 and above is shareware, it's intensively used
in SOHO networks. Under NT platforms it runs as a service with system
privileges.
II. Details:
8 vulnerabilities were identified:
GET / HTTP/[buffer].0
causes overflow in logging component
Same overflow in HTTP proxy server running on TCP/3128.
Username, password or hostname in SOCKS5 request longer than 127
characters cause buffer overflow because of invalid usage of signed
variable.
oversized reply of POP3 server
+OK [buffer]
causes buffer overflow in logging component.
same overflow in SMTP server response:
nnn [buffer]
On FTP PASV command server allocates TCP port without closing previously
allocated port. In makes it possible to consume all TCP ports available
in system.
POP3 gateway gives different diagnostics for valid and invalid username
and allows unlimited number of authentication attempts. It makes it
easy to bruteforce username/password.
During mailbox commands there is no check message index is valid. For
example
RETR 1000000
or
DELE 1000000
will cause server to crash. JanaServer 2.2.1 is not vulnerable.
III. Workarounds:
IV. Vendor and solution:
Vendor was informed on July, 18 2002. Vendor claims all bugs are fixed.
No reply from vendor since July, 19 2002. There is no information about
fixed version available on product's site.
–
http://www.security.nnov.ru
/\_/\
{ , . } |\
±-oQQo->{ ^ }<-----+ \
| ZARAZA U 3APA3A }
±------------o66o–+ /
|/
You know my name - look up my number (The Beatles)