SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Questions?
Want to learn about SecurityTracker? We've got answers to frequently asked questions right here
Sign Up!





Category:  Application (Generic)  >  Jana Server Vendors:  Hauck, Thomas
Jana Server Has Multiple Buffer Overflows and Other Bugs That Allow Remote Users to Crash the Server
SecurityTracker Alert ID:  1004848
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jul 26 2002
Impact:  Denial of service via network, Execution of arbitrary code via network, Root access via network, User access via network
Exploit Included:  Yes  
Advisory:  SECURITY.NNOV
Version(s): 2.2.1 and prior versions
Description:  Multiple vulnerabilities were reported in Jana Server. Several buffer overflows can be triggered by remote users to crash the services or possibly execute arbitrary code on the system.

In their security advisory, SECURITY.NNOV reported the following eight security vulnerabilities affecting various versions of Jana Server.

1) A buffer overflow vulnerability was reported in the HTTP server in the logging component. A remote user can trigger the overflow with the following type of HTTP request:

GET / HTTP/[buffer].0

2) The same buffer overflow reportedly exists in the HTTP proxy server that runs on TCP port 3128.

3) A buffer overflow apparently exists in the SOCKS5 service in the processing of username, password, and hostname variables. A remote user can send a SOCKS5 request containing a username, password, or hostname that is longer than 127 characters to trigger the overflow. According to the report, this is due to the invalid usage of a signed variable.

4) The POP3 gateway also contains a buffer overflow in the logging component. This overflow can reportedly be triggered by a large reply from a POP3 server:

+OK [buffer]

5) The SMTP gateway contains a similar buffer overflow to the one in the POP3 gateway logging function. A large response from an SMTP server could trigger the overflow:

nnn [buffer]

6) A vulnerabiltiy in the FTP server can be used by a remote user to create denial of service conditions. According to the report, the FTP server will allocate a TCP port when receiving a PASV command without closing a previously allocated port. A remote authenticated user (including an anonymous users) can consume all available TCP ports on the system.

7) The POP3 service returns different information in response to an invalid username versus an invalid password. Also, the service allows for an unlimited number of authentication attempts. A remote user can conduct a brute force password guessing attack without limitation.

8) Finally, in earlier versions of Jana Server (1.46 and prior), there is apparently an array index overun in the POP3 server. The POP3 server reportedly does not check to see if the message index is valid. A remote user can send certain mailbox commands using an invalid message index number to cause the server to crash. Jana Server 2.2.1 is reportedly not vulnerable to this flaw. A demonstration exploit command is shown below:

RETR 1000000
or
DELE 1000000

According to the advisory, Jana Server may run as a service with System-level privileges on Windows NT. The report does not indicate whether or not the buffer overflow vulnerabilities can result in the execution of arbitrary code.

The vendor has reportedly been notified.
Impact:  A remote user can cause various services to crash. A remote user can consume all available TCP sockets on the system, denying service to other users.

The report does not indicate whether a remote user may be able to execute arbitrary code on the system or not.
Solution:  No solution was available at the time of this entry.
Vendor URL:  www.janaserver.de/ (Links to External Site)
Cause:  Boundary error, State error
Underlying OS:  Windows (Any)

Message History:   None.

 Source Message Contents
Date:  Fri, 26 Jul 2002 10:58:33 -0400
Subject:  Multiple vulnerabilities in JanaServer

 

http://www.security.nnov.ru/advisories/jana.asp

Title:                  Multiple vulnerabilities in JanaServer
Author:                 ZARAZA <3APA3A@security.nnov.ru>
Date:                   July, 22 2002
Affected:               JanaServer 2.2.1 and prior
                        JanaServer 1.46 and prior
Vendor:                 Thomas Hauck <hilfe@janaserver.de>
Risk:                   High (critical if some services, for example
                        HTTP, are available from public interface)
Remote:                 yes
Exploitable:            yes
Vendor notified:        July, 18 2002
Product URL:            http://www.janaserver.com
SECURITY.NNOV URL:      http://www.security.nnov.ru
Advanced info:         
http://www.security.nnov.ru/search/news.asp?binid=2171


I. Introduction:

Janaserver  is Internet gateway software for Windows platform can act as
HTTP/FTP/NEWS/SNTP   server,   SOCKS4/SOCKS5/HTTP/FTP/TELNET/Real  Audio
proxy,  E-mail  gateway  and  port  mapper.  JanaServer  up  to 1.46 was
freeware,  JanaServer  2.0 and above is shareware, it's intensively used
in  SOHO  networks.  Under NT platforms it runs as a service with system
privileges.

II. Details:

8 vulnerabilities were identified:

1. HTTP server buffer overflow.

GET / HTTP/[buffer].0

causes overflow in logging component

2. HTTP proxy buffer overflow

Same overflow in HTTP proxy server running on TCP/3128.

3. Socks5 Username/Password/Hostname signed/unsigned buffer overflow

Username,  password  or  hostname  in  SOCKS5  request  longer  than 127
characters  cause  buffer  overflow  because  of invalid usage of signed
variable.

4. POP3 gateway buffer overflow.

oversized reply of POP3 server

+OK [buffer]

causes buffer overflow in logging component.

5. SMTP gateway buffer overflow

same overflow in SMTP server response:

nnn [buffer]

6. FTP server PASV system-wide DoS

On FTP PASV command server allocates TCP port without closing previously
allocated  port. In makes it possible to consume all TCP ports available
in system.

7. POP3 username/password bruteforce

POP3  gateway gives different diagnostics for valid and invalid username
and  allows  unlimited  number  of  authentication attempts. It makes it
easy to bruteforce username/password.

8. POP3 array index overrun (JanaServer <= 1.46)

During  mailbox  commands  there is no check message index is valid. For
example

RETR 1000000
or
DELE 1000000

will cause server to crash. JanaServer 2.2.1 is not vulnerable.

III. Workarounds:

1. Disable HTTP logging
2. Disable HTTP proxy logging
3. Disable socks proxy
4,5. Edit Texte.dat file, replace all occurrences of "%s" to "%.255s" in
lines numbered from 300 to 455.
6. Disable FTP server
7,8 Disable mail gateway

IV. Vendor and solution:

Vendor  was informed on July, 18 2002. Vendor claims all bugs are fixed.
No  reply from vendor since July, 19 2002. There is no information about
fixed version available on product's site.


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2002, SecurityGlobal.net LLC