Details of VAR-200802-0189

ID

VAR-200802-0189

CVE

CVE-2008-0871

TITLE

Now SMS/MMS Gateway Vulnerable to stack-based buffer overflow

Trust: 0.8

sources: JVNDB: JVNDB-2008-004135

DESCRIPTION

Multiple stack-based buffer overflows in Now SMS/MMS Gateway 2007.06.27 and earlier allow remote attackers to execute arbitrary code via a (1) long password in an Authorization header to the HTTP service or a (2) large packet to the SMPP service. Now SMS/MMS Gateway is prone to multiple buffer-overflow vulnerabilities because it fails to adequately bounds-check user-supplied input before copying it to insufficiently sized buffers. Successfully exploiting these issues will allow an attacker to execute arbitrary code with the privileges of the user running the affected application. Failed exploit attempts will likely crash the application. These issues affect Now SMS/MMS Gateway 2007.06.27 and prior versions. Now SMS & MMS Gateway (NowSMS) is a suite of SMS and MMS content delivery solutions from Now Wireless, UK. This solution can be used as SMS gateway, MMS gateway, WAP Push gateway and multimedia message center. The Web interface of NowSMS listening on port 8800 allows users to use the gateway to send various types of messages. The function used to process the base64 password in the HTTP Authorization parameter on this interface has a stack overflow vulnerability. If the user sends a message that exceeds 256 bytes, this overflow can be triggered, resulting in the execution of arbitrary instructions. NowSMS uses 4K bytes of stack buffer to accommodate incoming SMPP messages. Due to the lack of checking on the real size of the message (up to 0xffffffff bytes), a remote attacker can trigger stack overflow by sending an oversized message, resulting in the execution of arbitrary instructions. The SMPP server is not enabled by default and has no default listening port. ---------------------------------------------------------------------- A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched. Download and test it today: https://psi.secunia.com/ Read more about this new version: https://psi.secunia.com/?page=changelog ---------------------------------------------------------------------- TITLE: Now SMS/MMS Gateway HTTP/SMPP Handling Buffer Overflows SECUNIA ADVISORY ID: SA29003 VERIFY ADVISORY: http://secunia.com/advisories/29003/ CRITICAL: Highly critical IMPACT: System access WHERE: >From remote SOFTWARE: Now SMS/MMS Gateway 2007.x http://secunia.com/product/17663/ DESCRIPTION: Luigi Auriemma has discovered some vulnerabilities in Now SMS/MMS Gateway, which can be exploited by malicious people to compromise a vulnerable system. Successful exploitation allows execution of arbitrary code. 2) A boundary error in the SMPP server when processing SMPP packets can be exploited to cause a stack-based buffer overflow via a specially crafted SMPP packet. Successful exploitation allows execution of arbitrary code but requires that the SMPP server is enabled and a specific port is set. The vulnerabilities are confirmed in version 2007.06.27. Other versions may also be affected. SOLUTION: Restrict network access to the services. PROVIDED AND/OR DISCOVERED BY: Luigi Auriemma ORIGINAL ADVISORY: http://aluigi.altervista.org/adv/nowsmsz-adv.txt ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

Trust: 2.07

sources: NVD: CVE-2008-0871 // JVNDB: JVNDB-2008-004135 // BID: 27896 // VULHUB: VHN-30996 // PACKETSTORM: 63855

AFFECTED PRODUCTS

vendor:	now	model:	sms mms gateway	scope:	lte	version:	2007.06.27	Trust: 1.8
vendor:	now	model:	sms mms gateway	scope:	eq	version:	2007.06.27	Trust: 0.6
vendor:	now	model:	wireless now sms & mms gateway	scope:	eq	version:	2007.6.27	Trust: 0.3
vendor:	now	model:	wireless now sms & mms gateway	scope:	ne	version:	2008	Trust: 0.3

sources: BID: 27896 // JVNDB: JVNDB-2008-004135 // CNNVD: CNNVD-200802-397 // NVD: CVE-2008-0871

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2008-0871
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2008-0871
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-200802-397
value:	MEDIUM
Trust: 0.6
VULHUB:	VHN-30996
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2008-0871
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
VULHUB:	VHN-30996
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: VULHUB: VHN-30996 // JVNDB: JVNDB-2008-004135 // CNNVD: CNNVD-200802-397 // NVD: CVE-2008-0871

PROBLEMTYPE DATA

problemtype:

CWE-119

Trust: 1.9

sources: VULHUB: VHN-30996 // JVNDB: JVNDB-2008-004135 // NVD: CVE-2008-0871

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200802-397

TYPE

buffer overflow

Trust: 0.6

sources: CNNVD: CNNVD-200802-397

CONFIGURATIONS

sources: JVNDB: JVNDB-2008-004135

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-30996

PATCH

title:

Top page

url:

http://www.nowsms.com/

Trust: 0.8

sources: JVNDB: JVNDB-2008-004135

EXTERNAL IDS

db:	NVD	id:	CVE-2008-0871	Trust: 2.8
db:	BID	id:	27896	Trust: 2.0
db:	SECUNIA	id:	29003	Trust: 1.8
db:	VUPEN	id:	ADV-2008-0615	Trust: 1.7
db:	EXPLOIT-DB	id:	5695	Trust: 1.7
db:	JVNDB	id:	JVNDB-2008-004135	Trust: 0.8
db:	MILW0RM	id:	5695	Trust: 0.6
db:	BUGTRAQ	id:	20080219 MULTIPLE BUFFER-OVERFLOW IN NOWSMS V2007.06.27	Trust: 0.6
db:	CNNVD	id:	CNNVD-200802-397	Trust: 0.6
db:	SEEBUG	id:	SSVID-65432	Trust: 0.1
db:	SEEBUG	id:	SSVID-71283	Trust: 0.1
db:	EXPLOIT-DB	id:	16779	Trust: 0.1
db:	PACKETSTORM	id:	83180	Trust: 0.1
db:	VULHUB	id:	VHN-30996	Trust: 0.1
db:	PACKETSTORM	id:	63855	Trust: 0.1

sources: VULHUB: VHN-30996 // BID: 27896 // JVNDB: JVNDB-2008-004135 // PACKETSTORM: 63855 // CNNVD: CNNVD-200802-397 // NVD: CVE-2008-0871

REFERENCES

url:	http://aluigi.altervista.org/adv/nowsmsz-adv.txt	Trust: 1.8
url:	http://www.securityfocus.com/bid/27896	Trust: 1.7
url:	http://secunia.com/advisories/29003	Trust: 1.7
url:	http://www.securityfocus.com/archive/1/488365/100/100/threaded	Trust: 1.1
url:	https://www.exploit-db.com/exploits/5695	Trust: 1.1
url:	http://www.vupen.com/english/advisories/2008/0615	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-0871	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2008-0871	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/488365/100/100/threaded	Trust: 0.6
url:	http://www.milw0rm.com/exploits/5695	Trust: 0.6
url:	http://www.frsirt.com/english/advisories/2008/0615	Trust: 0.6
url:	http://www.nowsms.com/framer.htm?http://www.nowsms.com/newsletter/nowsms2008.htm	Trust: 0.3
url:	http://www.nowsms.com/	Trust: 0.3
url:	/archive/1/488365	Trust: 0.3
url:	http://secunia.com/advisories/29003/	Trust: 0.1
url:	http://secunia.com/secunia_security_advisories/	Trust: 0.1
url:	https://psi.secunia.com/?page=changelog	Trust: 0.1
url:	https://psi.secunia.com/	Trust: 0.1
url:	http://secunia.com/product/17663/	Trust: 0.1
url:	http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org	Trust: 0.1
url:	http://secunia.com/about_secunia_advisories/	Trust: 0.1

sources: VULHUB: VHN-30996 // BID: 27896 // JVNDB: JVNDB-2008-004135 // PACKETSTORM: 63855 // CNNVD: CNNVD-200802-397 // NVD: CVE-2008-0871

CREDITS

Luigi Auriemma※ aluigi@pivx.com

Trust: 0.6

sources: CNNVD: CNNVD-200802-397

SOURCES

db:	VULHUB	id:	VHN-30996
db:	BID	id:	27896
db:	JVNDB	id:	JVNDB-2008-004135
db:	PACKETSTORM	id:	63855
db:	CNNVD	id:	CNNVD-200802-397
db:	NVD	id:	CVE-2008-0871

LAST UPDATE DATE

2025-04-10T23:11:31.769000+00:00

SOURCES UPDATE DATE

db:	VULHUB	id:	VHN-30996	date:	2018-10-15T00:00:00
db:	BID	id:	27896	date:	2015-05-07T17:32:00
db:	JVNDB	id:	JVNDB-2008-004135	date:	2012-09-25T00:00:00
db:	CNNVD	id:	CNNVD-200802-397	date:	2009-04-08T00:00:00
db:	NVD	id:	CVE-2008-0871	date:	2025-04-09T00:30:58.490

SOURCES RELEASE DATE

db:	VULHUB	id:	VHN-30996	date:	2008-02-21T00:00:00
db:	BID	id:	27896	date:	2008-02-19T00:00:00
db:	JVNDB	id:	JVNDB-2008-004135	date:	2012-09-25T00:00:00
db:	PACKETSTORM	id:	63855	date:	2008-02-21T04:22:58
db:	CNNVD	id:	CNNVD-200802-397	date:	2008-02-21T00:00:00
db:	NVD	id:	CVE-2008-0871	date:	2008-02-21T19:44:00