================================================================================
                                 Delphis Consulting Plc
================================================================================

                               Security Team Advisories
                                    [05/06/2000]

      
                             securityteam@delphisplc.com
                  [http://www.delphisplc.com/thinking/whitepapers/]
        
================================================================================
Adv     :       DST2K0011
Title   :       DoS & BufferOverrun in CMail v2.4.7 WebMail
Author  :       DCIST (securityteam@delphisplc.com)
O/S     :       Microsoft Windows NT v4.0 Workstation (SP6)
Product :       CMail v2.4.7
Date    :       05/06/2000

I.    Description

II.   Solution

III.  Disclaimer


================================================================================


I. Description
================================================================================

Vendor URL: http://www.computalynx.net/

Delphis Consulting Internet Security Team (DCIST) discovered the following
vulnerabilities in the CMail Server under Windows NT.

Severity: med

The web interface of CMail which resides by default on port 8002 can be used
to consume 95% of CPU time in two locations. By default the New user creation
option is disabled even though this is the case it is possible to enter long
username of 196k which will cause the CMail process to site at 91 - 95% CPU
time. This is only temporary as the process seems to release the CPU after
as of yet undefined amount of time.

Severity: high

The web server which drives the web interface of CMail it is possible to cause 
a Buffer overrun in NTDLL.DLL overwriting the EIP allowing the execution of 
arbitry code. This is done be connecting to port 8002 which the service resides 
on by default and sending a large GET string. The string has to be a length of 
428 + EIP (4 bytes) making a total of 432 bytes.

It should be noted that NTDLL is authored by ComputaLynx and not Mircosoft.


II. Solution
================================================================================

Vendor Status: Informed

Currently there is no known solution to the problem. 

III. Disclaimer
================================================================================
THE INFORMATION CONTAINED IN THIS ADVISORY IS BELIEVED TO BE ACCURATE AT
THE TIME OF PRINTING, BUT NO REPRESENTATION OR WARRANTY IS GIVEN, EXPRESS OR
IMPLIED, AS TO ITS ACCURACY OR COMPLETENESS.  NEITHER THE AUTHOR NOR THE
PUBLISHER ACCEPTS ANY LIABILITY WHATSOEVER FOR ANY DIRECT, INDIRECT OR
CONSEQUENTIAL LOSS OR DAMAGE ARISING IN ANY WAY FROM ANY USE OF, OR RELIANCE
PLACED ON, THIS INFORMATION FOR ANY PURPOSE.
================================================================================