Re: iDEFENSE Security Advisory 12.06.05: Ipswitch

["Chris Rogers" <cprogers () bellsouth net>]

It's an overflow in the _vsnprintf() function. As far as I've read, this 
makes your options quite limited. You can only write to data pointers passed 
to you through the va_args list of the function. As far as I've seen when 
messing with this vulnerability, there are no potentials for overwrites. I 
see no function pointers, only text data. Just attach a debugger to 
ipswitch, and send MAIL FROM: %n%n%n%n%n%n@%n%n%n%n%n.com to cause a fault 
in the debugger.
Chris
----- Original Message ----- 
From: "Owen Dhu" <0wnj00 () gmail com>
To: <bugtraq () securityfocus com>; <vulnwatch () vulnwatch org>; 
<full-disclosure () lists grok org uk>
Sent: Tuesday, December 13, 2005 11:07 AM
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch 
Collaboration Suite SMTP Format String Vulnerability


On 12/6/05, labs-no-reply () idefense com <labs-no-reply () idefense com> wrote:

> Ipswitch Collaboration Suite SMTP Format String Vulnerability
[...]
> Remote exploitation of a format string vulnerability in Ipswitch
> IMail allows remote attackers to execute arbitrary code.

Can iDEFENSE (or anyone else) elaborate on this? I have been working with
this for a little while and iMail doesn't seem to be exploitable in this 
way.

TIA. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/