NGSSoftware Insight Security Research Advisory Name: NetWin CWMail.exe Buffer Overflow Systems Affected: IIS4 & IIS5 Severity: High Vendor URL: http://www.netwinsite.com Author: Mark Litchfield (mark@ngssoftware.com) Date: 13th February 2002 Advisory number: #NISR12022002 Description *********** CWMail is a fully featured Corporate Web Mail System for institutions or ISP's using the web as their primary means of access to email. CWMail is available for a wide variety of platforms and allows all email processing to be handled via a client web browser rather than from an email client package. Details ******* CWMail.exe is the main executable that provides the program's functionality on the Windows platforms. This would typically be located in either the 'cgi-bin' or 'scripts' directory of an IIS server. After a successful logon, by selecting the forward (mail) option, and filling the parameter 'item=' with a large string of characters, an access violation occurs, overwriting the saved return address and allowing the remote execution of arbitrary code. Fix Information *************** NGSSoftware alerted NetWin to these problems on the 10th of February; NetWin responded extremely quickly with a patch. This patch has been available from the 12th of February, and can be downloaded from http://netwinsite.com/dmailweb/download2.htm We would like to point out that the fix turnaround time of 36 hours is the fastest that the members of the NISR team have encountered; we would like to commend NetWin for the speed of their response and their commitment to the security of their customers. A check for these issues has been added to Typhon II, of which more information is available from the NGSSoftware website, http://www.ngssoftware.com. Further Information ******************* For further information about the scope and effects of buffer overflows, please see http://www.ngssoftware.com/papers/ntbufferoverflow.html http://www.ngssoftware.com/papers/bufferoverflowpaper.rtf http://www.ngssoftware.com/papers/unicodebo.pdf