• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

A-V Tronics InetServ Webmail Authentication Buffer Overflow Vulnerability

A-V Tronics InetServ is a freeware server for Microsoft Windows systems. It offers functionality for POP3, SMTP, telnet, webmail and other services.

An exploitable buffer overflow exists in the webmail interface of Inetserver.

The buffer overflow will occur if the Username/Password fields are each filled with an excessive number of bytes(140+). At the very minimum this can cause InetServ to crash, denying whatever services the software has been enabled to provide(telnet, SMTP, POP3, etc.). However, a window of opportunity exists for remote attackers to execute arbitrary code on the host(with the privileges of the server), possibly allowing the attacker to gain local access to the host.

It should be noted that the webmail interface is an optional feature of A-V Tronics InetServ, and is not enabled by default.