OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: eEye Digital Security (eeyeEEYE.COM)
Date: Tue Apr 24 2001 - 19:32:40 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    IPSwitch IMail 6.06 SMTP Remote System Access Vulnerability

    Release Date:
    April 24, 2001

    Severity:
    High

    Systems Affected:
    Systems running IPSwitch's IMail 6.06 SMTP daemon. Prior versions are most
    likely vulnerable.

    Description:
    There exists a vulnerability within IMail that allows remote attackers to
    gain SYSTEM level access to servers running IMailís SMTP daemon. The
    vulnerability stems from the IMail SMTP daemon not doing proper bounds
    checking on various input data that gets passed to the IMail Mailing List
    handler code. If an attacker crafts a special buffer and sends it to a
    remote IMail SMTP server its possible that an attacker can remotely execute
    code (commands) on the IMail system.

    In order to overwrite EIP you must know the name of a valid mailing list.
    IMail will happily provide you with a list of mailing lists by sending
    imailsrvexample.com an eMail with the word "list" (without the quotes) in
    the body of an eMail msg. Now take any valid mailing list name and put it
    into the following SMTP session request and you will succesfully cause a
    buffer overflow to happen within the IMail service which, if you supply a
    specially crafted buffer, will result in the ability to remotely execute
    code on the IMail server.

    Client SMTP Session -> IMAIL SMTP
    ----------------------------------------------------
    helo eeyerulez
    mailfrom: <>
    rcpt to: valid_mailing_list
    data
    From: [buffer] example.com
    To: Whatever
    wohooo!
    .
    quit
    -----------------------------------------------------
    Where [buffer] is 829 or so characters.

    Check back to the eEye website as we will post an exploit at some point.

    Credit:
    Riley Hassell rileyeeye.com
    Marc Maiffret marceeye.com

    Vendor Status:
    We would like to thank the people at IPSWITCH for immediately making this a
    priority and releasing a patch very quickly. In fact IMail was able to get a
    corrective patch out within two days of contacting them. That sort of vendor
    response should be standard throughout the industry.
    Users of IMail may download the IMail patches from:
    http://ipswitch.com/support/IMail/patch-upgrades.html

    Related Links:
    eEye Digital Security http://www.eEye.com/

    Greetings:
    For all the people who have made life more interesting.
    KAM, K2, Zen-Parse, Lamagra, Roland Postle, lsd from Poland and Martha
    Stewart.

    Copyright (c) 1998-2001 eEye Digital Security
    Permission is hereby granted for the redistribution of this alert
    electronically. It is not to be edited in any way without express consent of
    eEye. If you wish to reprint the whole or any part of this alert in any
    other medium excluding electronic medium, please e-mail alerteEye.com for
    permission.

    Disclaimer
    The information within this paper may change without notice. Use of this
    information constitutes acceptance for use in an AS IS condition. There are
    NO warranties with regard to this information. In no event shall the author
    be liable for any damages whatsoever arising out of or in connection with
    the use or spread of this information. Any use of this information is at the
    user's own risk.

    Feedback
    Please send suggestions, updates, and comments to:

    eEye Digital Security
    http://www.eEye.com
    infoeEye.com