IA WebMail Server combined with the IA eMailServer is "a powerful combination for remote access. The IA WebMail Server will work with any standard Web browser to allow users access to their email from anywhere on the Internet. Most mail client programs require that they be reconfigured each time they are used by a different user. This feature is a definite boon to any user who travels or works from outside the office on occasion".
The WebMail Server contains a buffer overflow in the HTTP GET request headers. If a page of 1044 bytes is requested, a saved return address on the stack is completely overwritten, and the instruction pointer can be fully controlled upon the execution of a 'retn' instruction. It is also possible to gain control of the ECX register during the process.
Vulnerable systems:
* IA WebMail Server version 3.1
Vulnerable code:
This section is added for researchers, to give them a head start in locating the vulnerable function. The overflow is caused by an unchecked call to lstrcpya().
A call is made from 0x0041B98C to 0x0041D850, and the saved return address 0x0041B991 is placed on the stack.
:0041B98A 8BCE mov ecx, esi
:0041B98C E8BF1E0000 call 0041D850
In the sub procedure (0x0041D850), at 0x0041D8BB a pointer to a jmp strcpy() type instruction is located.
At this point, the saved return address has been overwritten, and we are just waiting for the following return instruction.
* Reference To: MFC42.Ordinal:0320, Ord:0320h
:0041DC45 E8F2830000 Call 0042603C
:0041DC4A 8B8C2434040000 mov ecx, dword ptr [esp+00000434]
:0041DC51 5F pop edi
:0041DC52 5E pop esi
:0041DC53 5D pop ebp
:0041DC54 33C0 xor eax, eax
:0041DC56 64890D00000000 mov dword ptr fs:[00000000], ecx
:0041DC5D 5B pop ebx
:0041DC5E 81C430040000 add esp, 00000430
:0041DC64 C3 ret ; <- Here we gain control of the EIP
The altered saved return address is pop'ed off the stack instead of the real saved return address.
