Full Disclosure mailing list archives

Re: IpSwitch IMAP Server LOGON stack overflow

From: <nolimit () coreiso org>
Date: Wed, 8 Jun 2005 16:55:33 -0400

Ah, you refer to this one.
"The first vulnerability specifically exists in the handling of a long 
username to the LOGIN command. A long username argument of approximately 
2,000 bytes will cause a stack based unicode string buffer overflow 
providing the attacker with partial control over EIP. As this 
vulnerability is in the LOGIN command itself, valid credentials are not 
required. "

Later it reads 
"The second vulnerability also exists in the handling of the LOGIN 
command username argument, however it lends itself to easier 
exploitation."

I guess I shouldn't have trusted this statement :) 
Perhaps I'll take a look at this one next, or just use your CANVAS example :)
Cheers
nolimit

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

IpSwitch IMAP Server LOGON stack overflow nolimit (Jun 07)
- Re: IpSwitch IMAP Server LOGON stack overflow Dave Aitel (Jun 08)
- <Possible follow-ups>
- Re: Re: IpSwitch IMAP Server LOGON stack overflow nolimit (Jun 08)
  - Re: IpSwitch IMAP Server LOGON stack overflow Dave Aitel (Jun 08)
- Re: IpSwitch IMAP Server LOGON stack overflow nolimit (Jun 08)