-----Original Message----- From: Ussr Labs <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Wednesday, January 05, 2000 8:02 AM Subject: Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT Version 5.08 >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >Local / Remote D.o.S Attack in IMail IMONITOR Server for WinNT >Version 5.08 > >USSR Advisory Code: USSR-2000030 > >Release Date: >January 05, 2000 > >Systems Affected: >IMail IMONITOR (PORT 8181) Server for WinNT Version 5.08 and maybe >other versions. >IMail Server for WinNT Version 6.0 is not public, so I can't test it >:(, anyway, I think it's vulnerable. > >About The Software: >Mail Server is the choice of Business, Schools, and Service >Providers. Unlike Microsoft Exchange and Lotus Notes, which are >costly to deploy and cumbersome to administer, IMail Server is easy >to install and easy to manage. It has a fixed cost and is scalable to >thousands of users per server. > >THE PROBLEM > >UssrLabs found a bug, in the Imail Imonitor Service, Vulneravility is >in a Cgi-Script (status.cgi), this Script checks if the Server >Services is >runing (and it spends too much Cpu in this operation we might add), >if you execute the status.cgi, lots of times in a short time the >Imail Imonitor will >crash with an "Invalid Memory Address", and our friend DrWatson tells >us >to close the program :). > >Example: >Open In Internet Explorer: http://ServerIp:8181/status.cgi >And you will See something like this. > >|---------------------------------| >|Service | Status | >|SMTP | UP | >|POP3 | UP | >|DNS | UP | >|WEB | UP | >|TELNET | UP | >|FTP | UP | >|03:33:00 | 03:32:00 | >|________|________| > refresh > >if you Run the Status.cgi lots of times, the server will crash. > >Binary or source for this Exploit: > >http://www.ussrback.com/ > > >Do you do the w00w00? >This advisory also acts as part of w00giving. This is another >contribution to w00giving for all you w00nderful people out there. >You do know what w00giving is don't you? >http://www.w00w00.org/advisories.html > >Vendor Status: >Informed, tracking number for this inquiry is IMS2000010500000096. > >Vendor Url: http://www.ipswitch.com >Program Url: http://www.ipswitch.com/Products/IMail_Server/index.asp > >Credit: USSRLABS > >SOLUTION >Noting yet :( > >Greetings: >Eeye, Attrition, w00w00, beavuh, Rhino9, ADM, L0pht, HNN, >Technotronic and >Wiretrip. > >u n d e r g r o u n d s e c u r i t y s y s t e m s r e s e a r c >h >http://www.ussrback.com > > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 6.5.2 for non-commercial use <http://www.pgp.com> > >iQA/AwUBOHMI6dybEYfHhkiVEQJDFwCgnbdWs/pMTZ0USWkAUKWsTHwt1pIAn33g >iD8aoaO1bB1aqSrPW0xEBhLI >=Ap/P >-----END PGP SIGNATURE----- > >_____________________________________________________________________ >** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice" >** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST" >SEND ALL COMMANDS TO: [EMAIL PROTECTED] > Please visit http://www.ipswitch.com/support/mailing-lists.html to be removed from this list.
