Alert: Buffer overflow in Rockliffe's MailSite

[CST () CERBERUS-INFOSEC CO UK (Cerberus Security Team)]

Cerberus Information Security Advisory (CISADV000524a)
http://www.cerberus-infosec.co.uk/advisories.shtml

Released: 24th May 2000
Name: Rockliffe Mailsite Buffer Overflow
Affected Systems     : Windows NT running MailSite-HTTPMA/4.2.1.0
Issue: Remote attackers can execute arbitrary code
Author: David Litchfield (mnemonix () globalnet co uk)

Description
***********
The Cerberus Security Team has discovered a serious security flaw with
Rockliffe's MailSite Management Agent (version 4.2.1.0). This server allows
remote users to access their POP3 accounts and read their mail over HTTP.
The service usually listens on TCP port 90. Unfortunately there exists a
buffer overrun vulnerability that allows attackers to execute arbitrary
code. As this service runs as system, by default, any code executed will run
with system privileges - meaning any server running this agent could be
fully compromised.

Details
*******
The HTTPMA agent listens on port 90 and requests are made through
wconsole.dll like a standard HTTP request:

GET /cgi-bin/wconsole.dll?query_string\n\n

If the query_string is over 240 bytes a buffer is overflowed, overwriting
the saved return address thus gaining control of the program's execution.
This is done by overwriting this address with another address in memory that
contains a JMP ESP or CALL ESP instruction. The remainder of the buffer can
be found here and when the JMP or CALL is performed the program executes the
code found at the top of the stack.

Solution:
*********
The vendor has fixed this in their latest version 4.2.2 and is available
from their web site http://www.rockliffe.com . Cerberus recommends that
customers upgrade as soon as possible.

Vendor Status
*************
Rockliffe were informed about this earlier this month and they have now
patched this in v4.2.2. Cerberus would like to thank Rockliffe for their
prompt response in addressing this issue.

About Cerberus Information Security, Ltd
*****************************************
Cerberus Information Security, Ltd, a UK company, are specialists in
penetration testing and other security auditing services. They are the
developers of CIS (Cerberus' Internet security scanner) available for free
from their website: http://www.cerberus-infosec.co.uk

To ensure that the Cerberus Security Team remains one of the strongest
security audit teams available globally they continually research operating
system and popular service software vulnerabilites leading to the discovery
of "world first" issues. This not only keeps the team sharp but also helps
the industry and vendors as a whole ultimately protecting the end consumer.
As testimony to their ability and expertise one just has to look at exactly
how many major vulnerabilities have been discovered by the Cerberus Security
Team - over 70 to date, making them a clear leader of companies offering
such security services.

Founded in late 1999, by Mark and David Litchfield, Cerberus Information
Security, Ltd are located in London, UK but serves customers across the
World. For more information about Cerberus Information Security, Ltd please
visit their website or call on +44(0)208 395 4980.

Permission is hereby granted to copy or redistribute this advisory but only
in its entirety.

Copyright (C) 2000 by Cerberus Information Security, Ltd