Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Unchecked buffer in PC-cillin

From: advisories () texonet com (advisories () texonet com)
Date: Tue, 10 Dec 2002 12:04:43 +0100
----------------------------------------------------------------------------
-
Texonet Security Advisory 20021210
----------------------------------------------------------------------------
-
Advisory ID    : TEXONET-20021210
Authors        : Joel Soderberg and Christer Oberg (advisories () texonet com)
Issue date     : 12-10-2002
Application    : PC-cillin (OfficeScan Corp. Edition 5.02)
Version(s)     : 2000, 2002 and 2003
Platforms      : Windows 98/ME/2000/XP
Availability   : http://www.texonet.com/advisories/TEXONET-20021210.txt
----------------------------------------------------------------------------
-


Problem:
----------------------------------------------------------------------------
-
PC-cillin has an unchecked buffer in pop3trap.exe


Description:
----------------------------------------------------------------------------
-
PC-cillin comes with a mail scanning feature that scans all incoming mail
for
viruses, this is accomplished by connecting the mail client to a local
service
listening on port 110 (pop3). This service is only listening for connections
from the local machine and acts as a proxy. The program running this service
is pop3trap.exe. Connecting to the local port 110 and sending a lot of
characters will crash the program with a direct hit on the EIP, this makes
it
possible to run malicious code. The code will be run using the privileges of
the user owning the pop3trap.exe process.

Example 1: perl -e " print \"a\"x1100" |nc 127.0.0.1 110

Example 2: http://127.0.0.1:110/[put 1100 a's here]



Workaround:
----------------------------------------------------------------------------
-
Download the appropriate Service Pack from:

http://kb.trendmicro.com/solutions/solutionDetail.asp?solutionId=12982


Disclosure Timeline:
----------------------------------------------------------------------------
-
11/14/2002: Vendor notified by e-mail
11/15/2002: Standard support reply received from vendor
11/15/2002: Requested contact information from vendor
11/15/2002: Reply received from vendor with contact recommendations
11/15/2002: Advisory sent in accordance to vendors recommendations
11/21/2002: Vendor has verified the issue and is working on the solution
12/10/2002: Issue released to the public


About Texonet:
----------------------------------------------------------------------------
-
Texonet is a Swedish based security company with a focus on penetration
testing / security assessments, research and development.


Contacting Texonet:
----------------------------------------------------------------------------
-
E-mail:    advisories () texonet com
Homepage:  http://www.texonet.com/
Phone:     +46-8-55174611

Attachment: TEXONET-20021210.txt
Description:

Previous By Date Next
Previous By Thread Next

Current thread: