Users login

Create an account »


Users login

Home » Hacking News » XMail CTRLServer remote buffer overflow vulnerability

XMail CTRLServer remote buffer overflow vulnerability

by Phiber on February 4th, 2001 Vulnerable systems:
XMail version 0.66 and prior version

Immune systems: None

CTRLServer is a tool of XMail for administering purpose. It listens on port 6017(tunable).
there are some bad programming lead to vulnerabilities.....

In CTRLSvr.cpp

line 1888: CTRLDo_domainadd() function

StrLower(strcpy(szDomain, ppszTokens[1]));

szDomain is a 256 bytes local buffer,ppszTokens[1]
is parsed from user input command,XMail
copies them without bounds checking.It is possible to cause cover EIP,because XMail is run as
root,an attacker can execute arbitrary code
with root privilege.

There are same vulnerabilities in CTRLSvr.cpp

line 1921: CTRLDo_domaindel() function

StrLower(strcpy(szDomain, ppszTokens[1]));

line 2448: CTRLDo_cfgfileget() function

strcpy(szRelativePath, ppszTokens[1]);

line 2523: CTRLDo_cfgfileset() function

strcpy(szRelativePath, ppszTokens[1]);

Before exploit the vulnerabilities,it is need to login
with CTRLServer

username&password. I think it is easy to get that
by brute forcing.

PATCH: should release the patch.

Download exploit code

This vulnerability was contributed on a mailing list, by Isno.

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »