|
|
|
|
| |
| Ipswitch IMail server is "a Windows based messaging solution with a customer base of over 53 million users". Exploitation of a remote buffer overflow within the LDAP daemon of Ipswitch IMAIL Server allows attackers to execute arbitrary code under administrator privileges. |
| |
Credit:
The information has been provided by iDefense Labs.
The original article can be found at: http://www.idefense.com/application/poi/display?id=74&type=vulnerabilities
|
| |
Vulnerable Systems:
* LDAP daemon (iLDAP.exe ver. 3.9.15.10) shipping with IMail Server version 8.03
Immune Systems:
* IMail Server version 8.05 Hotfix 2
LDAP messages are comprised of various tags consisting of an identifier, a length and the content. An integer is represented in LDAP by the identifier byte 0x02, followed by the length of the integer in bytes. This is followed by the actual integer itself. As an example the following tag: 0x02 0x03 0x0A 0x25 0xBD represents the integer 665,501 (0xA25BD). The problem exists due to insufficient bounds checking upon copying of user supplied data with large tag lengths to a stack based buffer. The following assembly instruction can be abused to overwrite memory addresses as offsets from the current frame pointer because the attacker has control over ecx and var_4 at the time of exploitation:
.text:00401188 mov byte ptr [ebp+ecx+var_4], dl
An attacker can utilize this to overwrite the address of the Global Exception Handler, which can be found at a static distance from the frame pointer. Overwriting this address with that of a memory location containing a JMP/CALL ebx instruction (in Windows 2000) or a POP xxx POP xxx RET instruction (in Windows XP), allows the attacker to redirect the flow of control to his or her own supplied code.
Analysis:
Successful exploitation allows unauthenticated remote attackers to execute arbitrary code under administrator privileges. Exploitation is possible across both Windows 2000 and XP platforms. However, it requires minor changes in order to work.
Workarounds:
Disable or firewall the LDAP service (TCP port 389) if unneeded.
Vendor Status:
"Testing has completed their review of 8.05 Hotfix 2 and we are ready to release."
The fix will be available for download at:
http://www.ipswitch.com/support/imail/releases/imail_professional/im805HF2.html
Disclosure Timeline:
October 31, 2003 Exploit acquired by iDEFENSE
February 2, 2004 Initial vendor notification
February 3, 2004 iDEFENSE clients notified
February 3, 2004 Vendor response received
February 17, 2004 Coordinated public disclosure
|
|
|
|
|
|
|
