[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
- To: <full-disclosure@xxxxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
- From: "Chris Rogers" <cprogers@xxxxxxxxxxxxx>
- Date: Fri, 16 Dec 2005 03:23:40 -0500
It's an overflow in the _vsnprintf() function. As far as I've read, this
makes your options quite limited. You can only write to data pointers passed
to you through the va_args list of the function. As far as I've seen when
messing with this vulnerability, there are no potentials for overwrites. I
see no function pointers, only text data. Just attach a debugger to
ipswitch, and send MAIL FROM: %n%n%n%n%n%n@%n%n%n%n%n.com to cause a fault
in the debugger.
Chris
----- Original Message -----
From: "Owen Dhu" <0wnj00@xxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>; <vulnwatch@xxxxxxxxxxxxx>;
<full-disclosure@xxxxxxxxxxxxxxxxx>
Sent: Tuesday, December 13, 2005 11:07 AM
Subject: Re: [Full-disclosure] iDEFENSE Security Advisory 12.06.05: Ipswitch
Collaboration Suite SMTP Format String Vulnerability
On 12/6/05, labs-no-reply@xxxxxxxxxxxx <labs-no-reply@xxxxxxxxxxxx> wrote:
> Ipswitch Collaboration Suite SMTP Format String Vulnerability
[...]
> Remote exploitation of a format string vulnerability in Ipswitch
> IMail allows remote attackers to execute arbitrary code.
Can iDEFENSE (or anyone else) elaborate on this? I have been working with
this for a little while and iMail doesn't seem to be exploitable in this
way.
TIA.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/