COMMAND

    NAI WebShield SMTP

SYSTEMS AFFECTED

    NAI WebShield SMTP v4.5.44 Management Tool (NAI WebShield SMTP v4.0.5)

PROBLEM

    Following  is  based  on  Delphis  Consulting  Plc  Security  Team
    Advisories.   Firstly  telneting  to  a  machine  which  runs  the
    management agent on port 9999  will allow you to gain  the current
    configuration by executing the command below.

        GET_CONFIG<CR>

    Secondly if  you pass  an oversized  buffer of  208 bytes  or more
    within one  of the  configuration parameters  (there may  be more)
    the service will crash overwriting the stack but and the EIP  (208
    + 4) with what ever was passed within the parameter.

        SET_CONFIG<CR>
        Quarantine_Path='Ax208'+ EIP

    This enables an  attack to execute  arbitrary code on  host server
    inheriting the  permissions of  account of  which the  service was
    running as.

    The configuration agent uses  hostname for authentication, if  the
    server upon  which the  management agent  is running  is unable to
    resolve  a  hostname  to  the  IP  address it will allow access by
    default.

SOLUTION

    Currently there is no vendor patch available but the following are
    preventative measures  Delphis Consulting  Internet Security  Team
    would  advise  users  running   this  service  to  implement   the
    following:

        o Don't allow the service to run as SYSTEM but as a restricted
          user account.
        o Access  list port  9999 on  the local  router or firewall to
          restrict access to only required machines.
        o Stop the management service.

    A good way of testing this is to have something like ATGuard which
    blocks  all  traffic  coming  from  your  machine  (i.e.   browser
    broadcasts).  So nothing is able  to resolve your IP to NAME  then
    connect to port 9999.