SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   SurgeMail Vendors:   NetWin
SurgeMail Format String and Heap Overflow May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1019500
SecurityTracker URL:  http://securitytracker.com/id/1019500
CVE Reference:   CVE-2008-1054, CVE-2008-1055   (Links to External Site)
Updated:  Mar 6 2008
Original Entry Date:  Feb 25 2008
Impact:   Execution of arbitrary code via network, User access via network
Exploit Included:  Yes  
Version(s): 38k4 and prior versions
Description:   A vulnerability was reported in SurgeMail. A remote user may be able to execute arbitrary code on the target system.

A remote user can send a specially crafted 'page' parameter to the web mail service (webmail.exe) to trigger a format string flaw and potentially execute arbitrary code on the target system.

A demonstration exploit URL is provided:

http://[target]/scripts/webmail.exe?page=%n%n%n%s%s%s%s

A remote user can trigger a heap overflow in the processing of CGI environment strings potentially execute arbitrary code on the target system. The swatch process is also affected.

A demonstration exploit is available at:

http://aluigi.org/poc/surgemailz.zip

Luigi Auriemma reported this vulnerability.

Impact:   A remote user may be able to execute arbitrary code on the target system.
Solution:   No solution was available at the time of this entry.
Vendor URL:  netwinsite.com/surgemail/ (Links to External Site)
Cause:   Boundary error, Input validation error, State error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Subject:  Format string and buffer-overflow in SurgeMail 38k4


#######################################################################

                             Luigi Auriemma

Application:  SurgeMail Mail Server
                http://netwinsite.com/surgemail/
              Netwin's WebMail
                http://netwinsite.com/webmail/
Versions:     SurgeMail <= 38k4 and beta 39a
              Netwin's WebMail <= 3.1s (only bug A)
Platforms:    Windows, Linux, FreeBSD, MacOSX and Solaris
Bugs:         A] format string in webmail.exe's page command
              B] buffer-overflow in the building of environment strings
Exploitation: remote
Date:         25 Feb 2008
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


SurgeMail is a well known commercial multiplatform mail server which
supports many protocols.


#######################################################################

=======
2) Bugs
=======

----------------------------------------------
A] format string in webmail.exe's page command
----------------------------------------------

The CGI used for the handling of the webmail interface (webmail.exe) is
affected by a format string vulnerability in the function which builds
the error message when a wrong page is requested and passes it directly
to lvprintf without the needed format argument:

  "TPL: Failed to Locate Template {c:\surgemail\webmail\panel\%s%s%s%s%s%s.tpl}{2=No such file or directory}"

Sample URL for exploiting the vulnerability:

  http://SERVER/scripts/webmail.exe?page=%n%n%n%s%s%s%s


---------------------------------------------------------
B] buffer-overflow in the building of environment strings
---------------------------------------------------------

A buffer overflow vulnerability is located in the function which
handles the real CGI executables (which must be not confused with the
.cgi virtual files like user.cgi, admin.cgi and so on).
When the server receives a HTTP request for a real CGI (like for
example webmail.exe) it uses a buffer of about 20000 bytes for storing
all the environment strings which will be passed to the called program.
The HTTP fields passed by the client in his request are truncated at
200 bytes for the parameter and 800 for its value and are added as
environment variables (HTTP_parameter=value).
The lack of checks on the size of this environment buffer leads to a
buffer-overflow, anyway although is possible to control some registers
code execution is not certain.

Naturally both the surgemail and the swatch (port 7027) processes are
affected by this vulnerability.


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/surgemailz.zip


#######################################################################

======
4) Fix
======


No fix


#######################################################################


--- 
Luigi Auriemma
http://aluigi.org

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, SecurityGlobal.net LLC