BaSoMail Server Can Be Crashed By Remote Users and Also Discloses Passwords to Local Users
|
|
SecurityTracker Alert ID: 1006863
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 28 2003
|
Impact: Denial of service via network, Disclosure of authentication information, Execution of arbitrary code via network, User access via network
|
Exploit Included: Yes
|
Version(s): 1.24
|
Description: Ziv Kamir reported several vulnerabilities in BaSoMail. A remote user can cause the system to crash. A local user can view e-mail passwords.
BaSoMail is formerly known as the "MailServer by SH39." According to the report, the server stores e-mail passwords in plaintext
on the system. A local user can view those passwords. Usernames and passwords are reportedly stored in the '\Program Files\BaSoMail\MailServer.dba'
file.
It is also reported that a remote authenticated user can trigger a denial of service condition in the POP3 service by sending
a LIST command with a negative integer parameter, followed by a DELE with a negative integer parameter, followed by the QUIT command.
The entire application will crash.
It is also reported that a remote user can trigger a buffer overflow in the SMTP server,
causing the server to crash. A remote user can send a large amount of data with the "HELO", "MAIL FROM", or the "RCPT TO" commands.
A buffer size of approximately 2100 bytes is required to cause the crash. The affected command must be repeated 7 or 8 times to
trigger the overflow. The report did not indicate whether a remote user can execute arbitrary code or not.
The vendor has
reportedly been notified (on 28/05/2003).
|
Impact: A remote user can cause the mail service to crash.
A local user can view user passwords.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: www.baso.no/load.asp?id=4 (Links to External Site)
|
Cause: Access control error, Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: Ziv Kamir <vulncode@yahoo.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 28 May 2003 08:55:08 -0700 (PDT)
From: Ziv Kamir <vulncode@yahoo.com>
Subject: Vulnerability in the BaSoMail 1.24 (Former "MailServer by SH39")
|
This is a multi-part message in MIME format.
--------------070509040303050400040706
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hi ,
Attach TxT file With Explain .
------------------------------------------------------------------------
Do you Yahoo!?
Free online calendar
<http://us.rd.yahoo.com/mail_us/tag/*http://calendar.yahoo.com> with
sync to Outlook(TM).
--------------070509040303050400040706
Content-Type: text/plain;
name="BaSoMail.txt"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="BaSoMail.txt"
28/05/03
Ziv Kamir
---------
-------------------------------------------------------
Application: BaSoMail 1.24 (Former "MailServer by SH39")
Web Site: http://www.baso.no/load.asp?id=4
Versions: 1.24
Platform: Windows
Bugs:
1) Clear Text Password Storage Vulnerability .
2) A denial of service vulnerability in the POP3 service.
3) A Buffer Overflow vulnerability in the SMTP service.
Credits:
########
#################################
# #
# Ziv Kamir #
# #
# Email : vulncode@yahoo.com #
# #
# #
#################################
---------------------
1) Introduction
2) Bug
3) The Code
4) Fix
===============
1) Introduction
===============
BaSoMail is a fully functional SMTP/POP3 server for Windows 95/98/ME/NT/2000/XP ,which will let your
computer turn into a email server
system. It's compact and does not have any specific requirements.
=======
2) Bug
=======
-----------------------------------------------------------------------------------------------------
---------------------
1)
BaSoMail Server stores all usernames and passwords in the file \Program Files\BaSoMail\MailServer.dba
in clear text. If a malicious
user were to gain access to this file, they would have a list of all usernames and their associated
passwords.
-----------------------------------------------------------------------------------------------------
---------------------
2)
Any remote authenticated user connected to the POP3 server Can kill BaSoMail by sending LIST command
with a negative integer then
DELE command with negative integer and then QUIT command .
The Application Will Crash .
-----------------------------------------------------------------------------------------------------
----------------------
3)
Any remote attacker Can kill BaSoMail by sending a large amount of data into the "HELO" or "
MAIL FROM" or "RCPT TO" The buffer will
overflow .
-----------------------------------------------------------------------------------------------------
----------------------
===========
3) The Code
===========
Pop3
====
# Telnet The_POP3_Server_IP_Address 110
+OK Welcome to BaSoMail (www.BaSo.no)
user XXXX
+OK
pass XXXX
+OK Access granted
list -0
dele -0000
quit
SMTP
====
# Telnet The_SMTP_Server_IP_Address 25
220 Welcome to BaSoMail (www.BaSo.no)
HELO <ccccc....[Buffer size 2100 Bytes]>
Or
Mail From : <ccccc....[Buffer size 2100 Bytes @xyz.com]>
Or
Rcpt to : <ccccc....[Buffer size 2100 Bytes @xyz.com]>
Quit
You should repeat the Process 7 to 8 Times Before the buffer will overflow .
======
4) Fix
======
Date of Vendor Notification:
28/05/03
Status:
===========================================================
*** The Data is for educational purpose only. ***
===========================================================
--------------070509040303050400040706--
|
|
