Many holes in the Netmanager Chameleon tool suite

Summary
Description:Mostly standard overflows, but there are lots of them. Virtually every product that comes in the suite seems exploitable.
Author:arager@MCGRAW-HILL.COM
Compromise:remote attackers can likely obtain root /administrator privileges on the machines running Chameleion daemons. The clients also have serious security holes.
Vulnerable Systems:These holes are in the Windows versions, although I would be very careful about running something like thier Unix Z-mail product.
Date:4 May 1998
Details


Date: Mon, 4 May 1998 10:37:35 -0500
From: arager@MCGRAW-HILL.COM
To: BUGTRAQ@NETSPACE.ORG
Subject: Netmanage Holes

     Hello All,


     He's some major holes that I have found in the Netmanage Chameleon
     tools.  Forwarded the info to Netmanange a few weeks ago, but no
     response from them on patches and such.

     All seem to exist in the older Chameleon 4.5 as well as the newer
     Unixlink 97 tools.  Most of the testing was done with NetCat for NT
     on NT 3.51 and 4.0

     Notes:  Anything listed as a 'Buffer Overflow' means that a NT Dr.Watson
     message was produced with the 'Exception: access violation' message.  This
     may or may not be an exploitable buffer overflow condition, but it
     definitely looks like the programs are not always doing sanity checks on
     user input.

     1 - FTP server.  You must have at least one user defined on the server.
     -- Buffer overflows with username. Username needs more than 150 chars
     to overrun.  Very similar to the WAR FTPd probs.
     -- passwd with lots of chars causes a 'local error processing' to
     scroll on the screen.


     2 - HTTP server [personal web server]. Not sure what exactly is
     happening here, but if a URL request longer than 519 chars is
     submitted to the server, it spontaneously unloads.....never produces
     an error message.
     example:  GET more_than_519_characters<cr><cr>


     3 - Email/Zmail -- The email package comes with both client and server
     functions.  POP3d and SMTPd are enabled while the email client is active.

     POP3d
     -- buffer overflow with 'USER username' and username over 152 chars
     -- buffer overflow with 'PASS passwd' and password over 104 chars
     -- buffer overflows with all of the commands [list, retr, dele, quit].
      Don't even have to log in.  Even QUIT with a bunch of garbage after
     it will cause the POP3d to crash..........

     SMTPd
     -- buffer overflow with 'HELO hostname' and hostname over 471 chars.
     -- buffer overflow with 'HELP topic' and topic over 514 chars.

     4 - Finger client -- If you setup netcat to listen on the finger port,
     and send back a reply of over 257 chars to any finger request from the
     Chameleon client, an overflow will occur at the finger
     client....strange, but who really uses finger anyway.... ;)



     These are the only utilities that I have really looked into -- But
     they all seem to have problems with validity checks.  I have not
     built test exploits yet, but there is a definate possibility that
     some of these bugs are exploitable.  They are definately DOS bugs.


     Regards,

     Anton Rager
     arager@McGraw-Hill.com

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: