Vulnerability

    Intel InBusiness E-mail Station

Affected

    Intel InBusiness E-mail Station all versions <= v1.04

Description

    Following is  based on  Security Bulletin  #27 by  R00tSh311.  The
    Intel  InBusiness  E-mail  Station  is  a small application server
    designed for the small  office.  Unauthenticated remote  attackers
    can remove  arbitrary files  from the  hard drive,  and alter  the
    configuration of the e-mail station.  Under certain configurations
    it is possible for a remote user to read the e-mail of any user on
    the server.

    Sept. 24,  1997 Intel  announced it  had agreed  to acquire  Dayna
    Communications Inc.   All Dayna products  were discontinued as  of
    June 1998, while  a subset of  their products was  merged into the
    InBusiness  product  line.   The  e-mail  station runs the VxWorks
    operating  system  on  a  486  SX25  processor.   A  daemon called
    "daynad" is bound to  TCP port 244 in  the e-mail station.   It is
    believed that this  portion of the  code is from  the product line
    that they acquired.

    Upon close examination  it was discovered  that many commands  can
    be  executed  when  connecting   to  this  service,  without   ANY
    AUTHENTICATION.   By  simply  making  a  TCP  connection  to  this
    service, the following commands are available:

        "FormSet" Upon next reboot, the e-mail station will revert  to
        factory defaults.  This is  the most interesting command.   By
        default the e-mail station will  use a DHCP server to  get its
        IP address.  This means that the next time the e-mail  station
        reboots you can  connect without a  password and take  control
        of the entire  unit.  While  we have not  located a method  to
        cause a  reboot, a  simple TCP  SYN flood  would result in the
        admin rebooting the box for you.  We also found that a  steady
        flood of fragmented  UDP packets freeze  the IP stack  leaving
        mbuf allocation errors in the event log.

        "FormProtect" Upon next reboot, the e-mail station will revert
        to factory defaults and have all passwords disabled.  The only
        way R00tSh311  found to  recover was  to connect  back to this
        service and use the "FormSet" command.

        "MakeDir <directory>" Creates a  directory on the hard  drives
        filesystem.

        "Remove <filename>" Removes the  specified file from the  hard
        drive.  Interesting files being users mail spool files, etc.

        "Z" This command drops you to a unix style login prompt.  From
        here the super-user password  is required to get  any further.
        If you have reset the password using FormSet it is possible to
        login without a password.  Interesting commands once you  have
        logged in here include the ability to format the internal  IDE
        hard drive.

    It is  unclear if  this daynad  code is  in other  Intel or  Dayna
    products.  If you  are the owner of  other similar products it  is
    suggested that you examine all services running on their machines.

Solution

    At the time of  this advisory there is  NOT an available fix.   If
    you have a firewall it is  suggested you filter port 244.   Should
    a patch ever become available, we believe it would be posted here:

        http://support.intel.com/support/inbusiness/emailstation/index.htm