COMMAND

    Netmanage software

SYSTEMS AFFECTED

    Win 9x, NT 3.51, 4.0

PROBLEM

    Anton Rager found following vulnerabilities.  All seem to exist in
    the older Chameleon  4.5 as well  as the newer  Unixlink 97 tools.
    Most of the testing was done with NetCat for NT on NT 3.51 and 4.0

    Notes:   Anything listed  as a  'Buffer Overflow'  means that a NT
    Dr.Watson  message  was  produced  with  the  'Exception:   access
    violation' message.  This may or may not be an exploitable  buffer
    overflow condition, but it definitely looks like the programs  are
    not always doing sanity checks on user input.

    1 - FTP server.   You must have at  least one user defined  on the
        server.
        -- Buffer  overflows with  username. Username  needs more than
           150 chars to overrun.  Very similar to the WAR FTPd probs.
        -- passwd with lots of chars causes a 'local error processing'
           to scroll on the screen.

    2 - HTTP  server [personal web  server]. Not sure  what exactly is
        happening here, but if a URL request longer than 519 chars  is
        submitted to  the server,  it spontaneously  unloads.....never
        produces an error message.  example:

        GET more_than_519_characters<cr><cr>


    3 - Email/Zmail  -- The email  package comes with  both client and
        server functions.  POP3d and SMTPd are enabled while the email
        client is active.

        POP3d
        -- buffer overflow with 'USER username' and username over  152
           chars
        -- buffer overflow  with 'PASS passwd'  and password over  104
           chars
        -- buffer  overflows  with  all  of the commands [list,  retr,
           dele, quit].

        Don't even have to log in.  Even QUIT with a bunch of  garbage
        after it will cause the POP3d to crash..........

        SMTPd
        -- buffer overflow with 'HELO hostname' and hostname over  471
           chars.
        -- buffer overflow with 'HELP topic' and topic over 514 chars.

    4 - Finger client -- If  you setup netcat to listen on  the finger
        port, and send back  a reply of over  257 chars to any  finger
        request from the Chameleon  client, an overflow will  occur at
        the  finger  client....strange,  but  who  really  uses finger
        anyway.

     These are the only utilities  that has been tested, but  they all
     seem to have problems with validity checks.  They are  definately
     DOS bugs.

SOLUTION

    Netmanage has a separate Z-Mail  product for Unix, but it  doesn't
    seem  to  have  the  same  features/problems  as  the Email/Z-Mail
    package that comes  with their Windows  based software.   The Unix
    version does not include SMTP/POP3 server deamons like the Windows
    version [at least Z-Mail Lite doesn't].  It's strictly a  POP/IMAP
    client.

    Netmanage support indicated that  the Personal Web Server  [httpd]
    and the Finger client are no longer supported software.