[ http://www.rootshell.com/ ] Date: Mon, 4 May 1998 10:37:35 -0500 From: arager@MCGRAW-HILL.COM Subject: Netmanage Holes Hello All, He's some major holes that I have found in the Netmanage Chameleon tools. Forwarded the info to Netmanange a few weeks ago, but no response from them on patches and such. All seem to exist in the older Chameleon 4.5 as well as the newer Unixlink 97 tools. Most of the testing was done with NetCat for NT on NT 3.51 and 4.0 Notes: Anything listed as a 'Buffer Overflow' means that a NT Dr.Watson message was produced with the 'Exception: access violation' message. This may or may not be an exploitable buffer overflow condition, but it definitely looks like the programs are not always doing sanity checks on user input. 1 - FTP server. You must have at least one user defined on the server. -- Buffer overflows with username. Username needs more than 150 chars to overrun. Very similar to the WAR FTPd probs. -- passwd with lots of chars causes a 'local error processing' to scroll on the screen. 2 - HTTP server [personal web server]. Not sure what exactly is happening here, but if a URL request longer than 519 chars is submitted to the server, it spontaneously unloads.....never produces an error message. example: GET more_than_519_characters 3 - Email/Zmail -- The email package comes with both client and server functions. POP3d and SMTPd are enabled while the email client is active. POP3d -- buffer overflow with 'USER username' and username over 152 chars -- buffer overflow with 'PASS passwd' and password over 104 chars -- buffer overflows with all of the commands [list, retr, dele, quit]. Don't even have to log in. Even QUIT with a bunch of garbage after it will cause the POP3d to crash.......... SMTPd -- buffer overflow with 'HELO hostname' and hostname over 471 chars. -- buffer overflow with 'HELP topic' and topic over 514 chars. 4 - Finger client -- If you setup netcat to listen on the finger port, and send back a reply of over 257 chars to any finger request from the Chameleon client, an overflow will occur at the finger client....strange, but who really uses finger anyway.... ;) These are the only utilities that I have really looked into -- But they all seem to have problems with validity checks. I have not built test exploits yet, but there is a definate possibility that some of these bugs are exploitable. They are definately DOS bugs. Regards, Anton Rager arager@McGraw-Hill.com ---------------------------------------------------------------------------- Date: Mon, 4 May 1998 12:23:16 -0500 From: arager@MCGRAW-HILL.COM Subject: Netmanage Holes -- addendum 1. - The previously documented Netmanage Chameleon/UnixLink 97 holes are only relevant to NT/Win95/Windows versions of Netmanage software. Netmanage has a separate Z-Mail product for Unix, but it doesn't seem to have the same features/problems as the Email/Z-Mail package that comes with their Windows based software. The Unix version does not include SMTP/POP3 server deamons like the Windows version [at least Z-Mail Lite doesn't....anyone know about Unix Z-Mail Pro?] It's strictly a POP/IMAP client. 2. - Netmanage support indicated that the Personal Web Server [httpd] and the Finger client are no longer supported software. I included them as an FYI, and to show that lots of their proggies have validity check problems. All for now, Anton Rager arager@McGraw-Hill.com