wSendmail.exe 2.0x from www.jgaa.com


wsendmail is a sendmail-replacement on Win32 installations.
it can be used as a cmd-line tool and as a cgi-program.

problem description:

there exists a buffer-overflow in wsendmail.exe. any argument longer than 127bytes will cause
an application error (tested on a win2000 installation)

Example:

wSendmail.exe `perl -e 'print "x"x128;'`'dcba'

will overwrite EIP with 0x61626364 ... done

Summary:

this vulnerability can only be exploited(remotely) on a machine running the Apache-WebServer.
IIS > 4.0 does NOT allow QUERY_STRING passed to programms as an ARGUMENT !

RC-EOF