De: À: "BUGTRAQ" Objet: [SNS Advisory No.41] iPlanet Messaging Server 5.1(evaluation copy) Buffer Overflow Vulnerability Date : lundi 3 septembre 2001 07:45 ---------------------------------------------------------------------- SNS Advisory No.41 iPlanet Messaging Server 5.1(evaluation copy) Buffer Overflow Vulnerability Problem first discovered: 6 Aug 2001 Published: Mon, 3 Sep 2001 ---------------------------------------------------------------------- Overview: --------- Netscape Administration Server, provided by iPlanet Messaging Server 5.0 as a console program for administration, has a buffer overflow vulnerability. It allows remote users to execute arbitrary commands with SYSTEM privilege. Problem Description: -------------------- iPlanet Messaging Server is designed to provide SMTP, IMAP4, POP3 and Web-based mail services. Basic authorization is required when editing user information registered on the server, then supplied username and password are sent to the server after being base64 encoded. If long strings are included in username, ns-admin.exe, which is binary of Netscape Administration Server, will overflow. Therefore, this vulnerability allows remote users to execute arbitrary commands with SYSTEM privilege. Tested Version: --------------- iPlanet Messaging Server 5.1 evaluation copy Tested on: ---------- Windows NT 4.0 Server + SP6a [English] Solution: --------- However, iPlanet has not commented on this problem because they do not offer the technical support for evaluation copy under any circumstances. It is strongly recommended that you set up access control of Administration Server to deny access to servers, in which iPlanet Messaging Server is installed by non-trusted users. After setting up, unauthorized hosts cannot have access to the web site for editing user information. Discovered by: -------------- SNS Team (LAC / snsadv@lac.co.jp) Disclaimer: ----------- All information in these advisories are subject to change without any advanced notices neither mutual consensus, and each of them is released as it is. LAC Co.,Ltd. is not responsible for any risks of occurrences caused by applying those information. References ---------- Archive of this advisory(in preparation now): http://www.lac.co.jp/security/english/snsadv_e/41_e.html ------------------------------------------------------------------ Secure Net Service(SNS) Security Advisory Computer Security Laboratory, LAC http://www.lac.co.jp/security/