From securityteam@DELPHISPLC.COM Mon Jul 10 02:39:48 2000 From: Security Team To: BUGTRAQ@SECURITYFOCUS.COM Date: Thu, 25 May 2000 17:40:13 +0100 Subject: DST2K0003 : Buffer Overrun in NAI WebShield SMTP v4.5.44 Managem ent Tool [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] > ========================================================================== > ====== > Delphis Consulting Plc > ========================================================================== > ====== > > Security Team Advisories > [08/05/2000] > > > securityteam@delphisplc.com > > ========================================================================== > ====== > Adv : DST2K0003 > Title : Buffer Overrun in NAI WebShield SMTP v4.5.44 Management Tool > Author : DCIST (securityteam@delphisplc.com) > O/S : Microsoft Windows NT v4.0 Server (SP6) > Product : NAI WebShield SMTP v4.5.44 > Date : 08/05/2000 > > I. Description > > II. Solution > > III. Disclaimer > ========================================================================== > ====== > > > I. Description > ========================================================================== > ====== > > Delphis Consulting Internet Security Team (DCIST) discovered the following > vuln- > erability in the NAI Management Agent for WebShield SMTP under Windows NT. > > Firstly telneting to a machine which runs the management agent on port > 9999 will > allow you to gain the current configuration by executing the command > below. > > GET_CONFIG > > Secondly if you pass an oversized buffer of 208 bytes or more within one > of the > configuration parameters (there may be more) the service will crash > overwriting > the stack but and the EIP (208 + 4) with what ever was passed within the > parameter. > > SET_CONFIG > Quarantine_Path='Ax208'+ EIP > > This enables an attack to execute arbitrary code on host server inheriting > the > permissions of account of which the service was running as. > > > II. Solution > ========================================================================== > ====== > > Vendor Contacted: 8-May-2000 > > Currently there is no vendor patch available but the following are > preventative > measures Delphis Consulting Internet Security Team would advise users > running > this service to implement the following. > > o Don't allow the service to run as SYSTEM but as a restricted user > account. > o Access list port 9999 on the local router or firewall to restrict access > to only required machines. > o Stop the management service. > > > III. Disclaimer > ========================================================================== > ====== > THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT > THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS > OR > IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS. NEITHER THE AUTHOR NOR THE > PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR > CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR > RELIANCE > PLACED ON, THIS INFORMATION FOR ANY PURPOSE. > ========================================================================== > ====== >