OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: DoS by SMTP AUTH command in IPSwitch IMail server
From: SAKAI Yoriyuki (sakaiLAC.CO.JP)
Date: Wed Dec 06 2000 - 19:41:17 CST


Dear folks,

I found a kind of DoS to handle SMTP AUTH command in IPSwitch IMail
server version 6.0.5.
IPSwitch ships a product titled IMail, an email server for usage on NT
servers serving SMTP, POP3, IMAP4, LDAP etc.
It supports SMTP AUTH commands (RFC2554) and several authenticate methods
to relay/accept e-mail.

Problem Description
-------------------
I put passwords over 80 bytes and less than 136 bytes in BASE64 format,
the smtp server of IMail stop to response. No new SMTP sessions are
able to created from local and remote. In this case, the length of
password made a problem, no value matters.

Example of Issue:
HELO myhost
250 hello target
AUTH LOGIN
334 VXNlcm5hbWU6 (Put BASE64ed user name)
334 UGFzc3dvcmQ6
(Put BASE64ed user password over 80 bytes and less than 136 bytes;
the length of password is proximal.)
(The connection is disconnected.)

When I put over about 136 bytes for password, the server responds
the status of "552"(command exceeds maximum length) and continue
to work.
If the length of password is less than 80 bytes, it works normally.

Remotely Exploitable
--------------------
                Yes

Locally Exploitable
--------------------
                Yes

Tested Version of IMail
-----------------------
6 Gold (Japanese; No minor version is available)
6.0.5 (English)

Tested on
---------
Windows NT 4.0 Server SP6a (Japanese/English)
Windows 2000 Server (No SPs) (Japanese/English)
Windows 2000 Server SP1 (Japanese/English)

Status of fixes
---------------
        I had reported this issue at 2000/Nov/15 and discussed this
issue. IPSwitch has not release a patch yet.
I hope a fix program will be released as soon as possible.

Status of fixes (Japanese Version)
---------------------------------
        I also reported this issue to Japanese distributor of IMail
at 2000/Nov/15, but when I reported I used the evaluation version of
IMail, they closed all responses. Their artitude is contrastive to
IPSwitch's. I'd only wanted to exam what kind of bugs are still
in the current version of IMail and wanted to make a short report
to our customer.
I wonder whether they really mean the evaluation copy is for
the sake of evaluation and all vulnerability must be reported by
the current customer.

--
  SAKAI Yoriyuki / SNS (SecureNetService)Team / LAC Co., Ltd.
  sakailac.co.jp
  http://www.lac.co.jp/security/