TUCoPS :: Windows Apps :: win5563.htm

JanaServer multiple overflows
29th Jul 2002 [SBWID-5563]
COMMAND

	JanaServer multiple overflows

SYSTEMS AFFECTED

	 JanaServer 2.2.1 and prior

	 JanaServer 1.46 and prior

	

PROBLEM

	

	         /\_/\

	        { , . }     |\       ZARAZA <3APA3A@security.nnov.ru>

	+--oQQo->{ ^ }<-----+ \      of

	|  ZARAZA  U  3APA3A   }     http://www.security.nnov.ru

	+-------------o66o--+ /      says :

	                    |/

	

	

	Janaserver is Internet gateway software for Windows platform can act  as
	HTTP/FTP/NEWS/SNTP  server,   SOCKS4/SOCKS5/HTTP/FTP/TELNET/Real   Audio
	proxy, E-mail gateway  and  port  mapper.  JanaServer  up  to  1.46  was
	freeware, JanaServer 2.0 and above is shareware, it's  intensively  used
	in SOHO networks. Under NT platforms it runs as a  service  with  system
	privileges. 8 vulnerabilities were identified:
	

	 1. HTTP server buffer overflow.

	

	GET / HTTP/[buffer].0

	

	causes overflow in logging component
	

	 2. HTTP proxy buffer overflow

	

	Same overflow in HTTP proxy server running on TCP/3128.
	

	 3. Socks5 Username/Password/Hostname signed/unsigned buffer overflow

	

	Username, password  or  hostname  in  SOCKS5  request  longer  than  127
	characters cause buffer overflow because  of  invalid  usage  of  signed
	variable.
	

	 4. POP3 gateway buffer overflow.

	

	oversized reply of POP3 server
	

	+OK [buffer]

	

	causes buffer overflow in logging component.
	

	 5. SMTP gateway buffer overflow

	

	same overflow in SMTP server response:
	

	nnn [buffer]

	

	 6. FTP server PASV system-wide DoS

	

	On  FTP  PASV  command  server  allocates  TCP  port   without   closing
	previously allocated port. In makes  it  possible  to  consume  all  TCP
	ports available in system.
	

	 7. POP3 username/password bruteforce

	

	POP3 gateway gives different diagnostics for valid and invalid  username
	and allows unlimited number of  authentication  attempts.  It  makes  it
	easy to bruteforce username/password.
	

	 8. POP3 array index overrun (JanaServer <= 1.46)

	

	During mailbox commands there is no check message index  is  valid.  For
	example
	

	RETR 1000000

	or

	DELE 1000000

	

	will cause server to crash. JanaServer 2.2.1 is not vulnerable.

SOLUTION

	Check [http://www.janaserver.com], nothing yet though
	

	 Workarounds

	 ===========

	

	1. Disable HTTP logging

	2. Disable HTTP proxy logging

	3. Disable socks proxy

	4,5. Edit Texte.dat file, replace all occurrences of "%s" to "%.255s" in

	lines numbered from 300 to 455.

	6. Disable FTP server

	7,8 Disable mail gateway

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH