Re: iDEFENSE Security Advisory 12.06.05: Ipswitch

["FistFucker" <FistFuXXer () gmx de>]

I know this problem since a while. It's a bug in 'SysLib.dll' that makes
calls to 'MSVCR71._vsnprintf' with user controlled data as format string.
'MSVCR71._vsnprintf' will only be called when SMTP logging is enabled and
it's disabled by default in IMail 8.21.

The following SMTP commands are affected:
  - HELO
  - EHLO
  - MAIL
  - RCPT
  - EXPN
  - AUTH CRAM-MD5 (encoded username)
  - AUTH LOGIN (encoded username)
  - AUTH PLAIN (encoded username)

I don't think it's exploitable because the user controlled string is many
thousand bytes away from the stack pointer and you can only send 512 bytes
to the SMTP daemon. This allows you to increase the stack pointer up to
2,032 bytes but the nearest user controlled memory location I could find was
still 11,840 bytes away from ESP. A memory access violation doesn't crash
the SMTP daemon but consumpts 100% CPU power.

If someone was able to exploit this, I would be interested in exploit code
or an explanation to learn from him.


-FistFucker (aka FistFuXXer)



----- Original Message ----- 
From: Chris Rogers
To: full-disclosure () lists grok org uk
Sent: Friday, December 16, 2005 9:23 AM
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch


It's an overflow in the _vsnprintf() function. As far as I've read, this
makes your options quite limited. You can only write to data pointers passed
to you through the va_args list of the function. As far as I've seen when
messing with this vulnerability, there are no potentials for overwrites. I
see no function pointers, only text data. Just attach a debugger to
ipswitch, and send MAIL FROM: %n%n%n%n%n%n@%n%n%n%n%n.com to cause a fault
in the debugger.
Chris
----- Original Message ----- 
From: "Owen Dhu" <0wnj00 () gmail com>
To: <bugtraq () securityfocus com>; <vulnwatch () vulnwatch org>;
<full-disclosure () lists grok org uk>
Sent: Tuesday, December 13, 2005 11:07 AM
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
Collaboration Suite SMTP Format String Vulnerability


On 12/6/05, labs-no-reply () idefense com <labs-no-reply () idefense com> wrote:

> Ipswitch Collaboration Suite SMTP Format String Vulnerability
[...]
> Remote exploitation of a format string vulnerability in Ipswitch
> IMail allows remote attackers to execute arbitrary code.

Can iDEFENSE (or anyone else) elaborate on this? I have been working with
this for a little while and iMail doesn't seem to be exploitable in this
way.

TIA.




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/