Full Disclosure mailing list archives
Re: iDEFENSE Security Advisory 12.06.05: Ipswitch
From: "FistFucker" <FistFuXXer () gmx de>
Date: Fri, 16 Dec 2005 15:32:50 +0100
I know this problem since a while. It's a bug in 'SysLib.dll' that makes calls to 'MSVCR71._vsnprintf' with user controlled data as format string. 'MSVCR71._vsnprintf' will only be called when SMTP logging is enabled and it's disabled by default in IMail 8.21. The following SMTP commands are affected: - HELO - EHLO - MAIL - RCPT - EXPN - AUTH CRAM-MD5 (encoded username) - AUTH LOGIN (encoded username) - AUTH PLAIN (encoded username) I don't think it's exploitable because the user controlled string is many thousand bytes away from the stack pointer and you can only send 512 bytes to the SMTP daemon. This allows you to increase the stack pointer up to 2,032 bytes but the nearest user controlled memory location I could find was still 11,840 bytes away from ESP. A memory access violation doesn't crash the SMTP daemon but consumpts 100% CPU power. If someone was able to exploit this, I would be interested in exploit code or an explanation to learn from him. -FistFucker (aka FistFuXXer) ----- Original Message ----- From: Chris Rogers To: full-disclosure () lists grok org uk Sent: Friday, December 16, 2005 9:23 AM Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch It's an overflow in the _vsnprintf() function. As far as I've read, this makes your options quite limited. You can only write to data pointers passed to you through the va_args list of the function. As far as I've seen when messing with this vulnerability, there are no potentials for overwrites. I see no function pointers, only text data. Just attach a debugger to ipswitch, and send MAIL FROM: %n%n%n%n%n%n@%n%n%n%n%n.com to cause a fault in the debugger. Chris ----- Original Message ----- From: "Owen Dhu" <0wnj00 () gmail com> To: <bugtraq () securityfocus com>; <vulnwatch () vulnwatch org>; <full-disclosure () lists grok org uk> Sent: Tuesday, December 13, 2005 11:07 AM Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch Collaboration Suite SMTP Format String Vulnerability On 12/6/05, labs-no-reply () idefense com <labs-no-reply () idefense com> wrote:
Ipswitch Collaboration Suite SMTP Format String Vulnerability
[...]
Remote exploitation of a format string vulnerability in Ipswitch IMail allows remote attackers to execute arbitrary code.
Can iDEFENSE (or anyone else) elaborate on this? I have been working with this for a little while and iMail doesn't seem to be exploitable in this way. TIA. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch Chris Rogers (Dec 16)
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch FistFucker (Dec 16)
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch H D Moore (Dec 16)
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch FistFucker (Dec 16)
- Message not available
- Message not available
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch FistFucker (Dec 16)
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch H D Moore (Dec 16)
- Re: iDEFENSE Security Advisory 12.06.05: Ipswitch FistFucker (Dec 16)