Netwin DMailWeb & CWMail Multiple DoS Vulnerabilities
BID:1376
Info
Netwin DMailWeb & CWMail Multiple DoS Vulnerabilities
| Bugtraq ID: | 1376 |
| Class: | Boundary Condition Error |
| CVE: |
CVE-2000-0608 CVE-2000-0609 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Jun 21 2000 12:00AM |
| Updated: | Jul 11 2009 02:56AM |
| Credit: | These vulnerabilities were posted to the Bugtraq mailing list by Chris Wolfe <[email protected]> on Wed, 21 Jun 2000. |
| Vulnerable: |
NetWin DMailWeb 2.6 j NetWin DMailWeb 2.6 i NetWin DMailWeb 2.6 g NetWin DMailWeb 2.5 e |
| Not Vulnerable: | |
Discussion
Netwin DMailWeb & CWMail Multiple DoS Vulnerabilities
DMailWeb and CWMail are server side applications that provide users with web based email they can access using any web browser. They are compatible with any standard POP/SMTP email server system. Certain versions of these applications have a series of vulnerabilities related to unchecked user supplied data (overly long strings etc.) which result in the services crashing. This is possibly (although not confirmed) an indicator of exploitable buffer overflows. At the least this is a denial of service issue.
DMailWeb and CWMail are server side applications that provide users with web based email they can access using any web browser. They are compatible with any standard POP/SMTP email server system. Certain versions of these applications have a series of vulnerabilities related to unchecked user supplied data (overly long strings etc.) which result in the services crashing. This is possibly (although not confirmed) an indicator of exploitable buffer overflows. At the least this is a denial of service issue.
Exploit / POC
Netwin DMailWeb & CWMail Multiple DoS Vulnerabilities
From the original (attached in the 'Credit') section post on this vulnerability from Chris Wolfe <[email protected]> :
Sending long values as the username (>= 240 chars, 239 works normally) will cause the script to freeze (just over a minute on the machines tested). The pophost field has a similar problem, though it requires more characters to trigger (tested 512).
An extremely long pophost (tested 1024) causes the script to freeze and then crash. I am not equipped to test for buffer overflow conditions, but suspect one is the cause of the crash. (2.6j removed the delay but still crashes).
From the original (attached in the 'Credit') section post on this vulnerability from Chris Wolfe <[email protected]> :
Sending long values as the username (>= 240 chars, 239 works normally) will cause the script to freeze (just over a minute on the machines tested). The pophost field has a similar problem, though it requires more characters to trigger (tested 512).
An extremely long pophost (tested 1024) causes the script to freeze and then crash. I am not equipped to test for buffer overflow conditions, but suspect one is the cause of the crash. (2.6j removed the delay but still crashes).
Solution / Fix
References
Netwin DMailWeb & CWMail Multiple DoS Vulnerabilities
References:
References: