COMMAND
InetServer
SYSTEMS AFFECTED
AVTronics InetServer
PROBLEM
Following is based on a Strumpf Noir Society Advisories.
AVTronics InetServer is a freeware product suite for MS Windows,
bundling such services as SMTP, POP3, Daytime and Telnet in 1
product.
As so many products offering this, the optional webmail interface
bundled with this product features some flaws which could severly
degrade system security.
If the port on which the webmail daemon listens receives a buffer
of +/- 800 bytes or more the InetServer process will die. This
could be (ab)used to execute a Denial of Service attack against
the server.
The second problem enjoys the same basis as the DoS, being the
webmail interface, but poses a more severe threat to the system
since the contents of the buffer is written straight onto and
over eip.
Typically, when a user intends to access his/her mailbox through
the webmail interface, this is done through a url constructed as
such:
http://server:port/username
Following a basic WWW-Authentication (where the Realm is
'username') the user is then taken into the specified mailbox.
The problem lies in the handling of the information provided to
the server by the browser during this WWW-Authentication. In
certain cases, the username and password combined can compose a
buffer to smash eip. For example:
username: 140 byte username and
password: 140 byte password
will overflow the buffer. Eip is overwritten by the last 4 chars
of the password buffer. The same goes for other combinations as
say for example a 700 byte username and a 20 byte password.
Since WWW-Authentication is triggered through any 'username'
following the location of the webmail interface, no prior
knowledge of existing usernames is necessary to successfully
complete this attack.
SOLUTION
Vendor has been notified. At the moment we are not aware of any
forthcoming fixes.