COMMAND

    Rockliffe Mailsite

SYSTEMS AFFECTED

    Windows NT running MailSite-HTTPMA/4.2.1.0

PROBLEM

    Following is  based on  Cerberus Information  Security Advisory by
    David Litchfield.   The Cerberus  Security Team  has discovered  a
    serious security flaw  with Rockliffe's MailSite  Management Agent
    (version  4.2.1.0).   This  server  allows  remote users to access
    their POP3 accounts  and read their  mail over HTTP.   The service
    usually  listens  on  TCP  port  90.  Unfortunately there exists a
    buffer  overrun  vulnerability  that  allows  attackers to execute
    arbitrary code.  As this  service runs as system, by  default, any
    code  executed  will  run  with  system  privileges  - meaning any
    server running this agent could be fully compromised.

    The HTTPMA agent listens on port 90 and requests are made  through
    wconsole.dll like a standard HTTP request:

        GET /cgi-bin/wconsole.dll?query_string\n\n

    If the  query_string is  over 240  bytes a  buffer is  overflowed,
    overwriting the saved return  address thus gaining control  of the
    program's execution.   This is  done by  overwriting this  address
    with another  address in  memory that  contains a  JMP ESP or CALL
    ESP instruction.   The remainder of  the buffer can  be found here
    and when  the JMP  or CALL  is performed  the program executes the
    code found at the top of the stack.

SOLUTION

    The vendor  has fixed  this in  their latest  version 4.2.2 and is
    available from their web site

        http://www.rockliffe.com