The Internet Mail Service in Exchange Server 5.5 and Exchange 2000 allows remote attackers to cause a denial of service (memory exhaustion) by directly connecting to the SMTP service and sending a certain extended verb request (XEXCH50) In Exchange 2000 an agent could be installed exploiting a buffer overflow in the same SMTP command.
This module uploads a specially crafted e-mail via a user provided IMAPv4 account and waits until this email is opened through OWA (Outlook Web Access) and any button inside the window is pressed (the Maximize/Normal, Minimize and Close buttons do nothing), then the agent connects back.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing Evinco CamShot. The vulnerability is caused due to a boundary error within Evinco CamShot when processing HTTP GET Request. This can be exploited to cause a stack-based buffer overflow via an overly long, specially-crafted argument passed to the affected command. Authentication is not required to exploit this vulnerability.
The best practice for installations of EMC Replication Manager is to register a Replication Manager Client (irccd.exe) instance with the appropiate Replication Manager Server (ird.exe) as soon as the client software is installed on a host. Registration is performed by Replication Manager administrators from within the Replication Manager Server. In the time span exposed before registering a Replication Manager Client instance with a Replication Manager Server, the RunProgram function of the Replication Manager Client instance can be invoked with arbitrary arguments by remote unauthenticated attackers in order to execute arbitrary code with SYSTEM privileges on the vulnerable machine. This module exploits this misconfiguration scenario in order to install an agent on machines running still unregistered instances of EMC Replication Manager Client.
Subscribe to Impact