I know this problem since a while. It's a bug in 'SysLib.dll' that makes calls to 'MSVCR71._vsnprintf' with user controlled data as format string. 'MSVCR71._vsnprintf' will only be called when SMTP logging is enabled and it's disabled by default in IMail 8.21.
The following SMTP commands are affected: - HELO - EHLO - MAIL - RCPT - EXPN - AUTH CRAM-MD5 (encoded username) - AUTH LOGIN (encoded username) - AUTH PLAIN (encoded username) I don't think it's exploitable because the user controlled string is many thousand bytes away from the stack pointer and you can only send 512 bytes to the SMTP daemon. This allows you to increase the stack pointer up to 2,032 bytes but the nearest user controlled memory location I could find was still 11,840 bytes away from ESP. A memory access violation doesn't crash the SMTP daemon but consumpts 100% CPU power. If someone was able to exploit this, I would be interested in exploit code or an explanation to learn from him. -FistFucker (aka FistFuXXer) ----- Original Message ----- From: Chris Rogers To: [email protected] Sent: Friday, December 16, 2005 9:23 AM Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch It's an overflow in the _vsnprintf() function. As far as I've read, this makes your options quite limited. You can only write to data pointers passed to you through the va_args list of the function. As far as I've seen when messing with this vulnerability, there are no potentials for overwrites. I see no function pointers, only text data. Just attach a debugger to ipswitch, and send MAIL FROM: [EMAIL PROTECTED] to cause a fault in the debugger. Chris ----- Original Message ----- From: "Owen Dhu" <[EMAIL PROTECTED]> To: <[email protected]>; <[EMAIL PROTECTED]>; <[email protected]> Sent: Tuesday, December 13, 2005 11:07 AM Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch Collaboration Suite SMTP Format String Vulnerability On 12/6/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Ipswitch Collaboration Suite SMTP Format String Vulnerability [...] > Remote exploitation of a format string vulnerability in Ipswitch > IMail allows remote attackers to execute arbitrary code. Can iDEFENSE (or anyone else) elaborate on this? I have been working with this for a little while and iMail doesn't seem to be exploitable in this way. TIA. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
