Author: Stan Bubrouski Date: August 19, 2002 Product: WebEasyMail Versions Affected: 3.4.2.2 (Latest) + previous Severity: Denial of Service on SMTP and POP3 portions of the software. It has not been investigated but there might be a possibility of exploitation to execute code remotely. Problem #1: The problem appears to lie in the SMTP portion of WebEasyMail. When you send specially crafted format strings such as the printf family of functions use, it is possible to cause the service process to exit. While no crash dialog appears, the service is terminated without an error message or such, and nothing appears in the logs. As an example: $ nc localhost 25 220 ESMTP on WebEasyMail [3.4.2.2] ready. http://www.winwebmail.com %2 502 Error: command not implemented %2s 502 Error: command not implemented %100s 502 Error: command not implemented %3000s [emsrv.exe silently dies here] $ I have had no time to debug this problem so I do not know if it is exploitable. The fact that it silently exits may be an indication of internal error handling, but it seems unlikely and I can't comment on it. Problem #2: WebEasyMail's POP3 server appears to be very weak in the prevent-brute-force attacks department. First off it allows for the discovery of valid usernames by bugs in its output, for example: OK POP3 on WebEasyMail [3.4.2.2] ready. http://www.winwebmail.com user dog +OK user accepted pass dog -ERR invalid username user test +OK user accepted pass dog -ERR wrong password for this user Notice that when I wrong password is given, the server responds with "-ERR invalid username" if the user does not exist, and "-ERR wrong password for this user" if the user does indeed exist. Furthermore it seems to allow an unlimited number of guesses of usernames and passwords without disconnecting the remote connection. This coupled with the above makes brute force attacks much much easier. Vendor Status: I sent a message to the vendor of WebEasyMail (support@winwebmail.com) twice, first on August 2, 2002 and August 8, 2002 but recieved no response. As a result of the lack of response or even acknowledgement my messages were recieved this advisory has been released.
