####################################################################### Luigi Auriemma Application: SLMail Pro http://www.seattlelab.com/products/slmailpro/ Versions: <= 6.3.1.0 (webcontainer.exe <= 1.0.0.336) Platforms: Windows Bugs: A] memory corruption in Web Service B] Denial of Service in Web Service C] possible Denial of Service on port 54 Exploitation: remote Date: 29 Mar 2008 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "SLMail Pro is web-based POP3 and SMTP email server software for Microsoft Windows 2000/2003 that includes advanced features usually found only in Eenterprise-Level systems." ####################################################################### ======= 2) Bugs ======= ----------------------------------- A] memory corruption in Web Service ----------------------------------- The SLMail Pro Web Service (webcontainer.exe) running on port 801 is affected by a memory corruption vulnerability exploitable with a long URI. Note that the effects of the vulnerability (control of some registers which don't seem to lead to code execution, NULL pointer and other crashes) can change. ----------------------------------- B] Denial of Service in Web Service ----------------------------------- The webcontainer service is also affected by a Denial of Service problem which can be exploited to crash it through a HTTP parameter longer than half megabyte. Doesn't seem possible to exploit this vulnerability to control the code flow. ---------------------------------------- C] possible Denial of Service on port 54 ---------------------------------------- Another problem exists in the SLMail service which listens on the UDP port 54 (is not clear what specific function is performed by this port, handling the DNS queries or replies probably) and which can be disabled through the sending of an UDP packet bigger than 4096 bytes. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/slmaildos.zip http://aluigi.org/testz/udpsz.zip nc SERVER 801 -v -v < slmaildos1.txt (do it twice) nc SERVER 801 -v -v < slmaildos2.txt udpsz SERVER 54 4097 ####################################################################### ====== 4) Fix ====== No fix #######################################################################