OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Dave Ahmad (dasecurityfocus.com)
Date: Mon May 20 2002 - 15:46:26 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ---------- Forwarded message ----------
    Date: Mon, 20 May 2002 13:24:26 -0700
    From: Foundstone Labs <labsfoundstone.com>
    To: dasecurityfocus.com
    Subject: Foundstone Advisory - Buffer Overflow in Ipswitch Imail 7.1 and
        prior

    Please disregard the previous email.
    Can you please forward this to the bugtraq mailing list?

                Thanks,
                Marshall Beddoe

    -----------------------------------------------------------------------------
    FS Advisory ID: FS-052002-21-IPIM

    Release Date: May 20, 2002

    Product: IMail Server

    Vendor: Ipswitch (http://www.ipswitch.com)

    Vendor Advisory: See vendor's website

    Type: Buffer Overflow

    Severity: High

    Author: Foundstone, Inc (http:/www.foundstone.com)

    Operating Systems: Windows 2000 / XP

    Vulnerable Versions: 7.1 and prior

    Foundstone Advisory: http://www.foundstone.com/advisories.htm
    -----------------------------------------------------------------------------

    Description:

                A buffer overflow exists in the LDAP component of Ipswitch's IMail
                software suite. Exploitation of this vulnerability allows remote
                execution of arbitrary code with the privileges of the IMail daemon
                (default is SYSTEM).

    Details:

                The IMail server ships with several components including an LDAP
                service. The LDAP server allows a remote client read access to
                the IMail directory. A vulnerability exists during the authentication
                process which allows an outside attacker remote access to the
                server with the privileges of the SYSTEM account.

                When "binding" to the server with simple authentication a "bind DN"
                and password can be specified. By providing an overly long string to
                the "bind DN" parameter, it is possible to overwrite the saved return
                address, control the instruction pointer and execute arbitrary code in
                the remote process.

    Solution:

                Refer to the advisory published by Ipswitch at

    http://www.ipswitch.com/Support/IMail/patch-upgrades.html

                Customers should obtain upgraded software by contacting their customer
                support representative to receive the required patches.

    Credits:

                Foundstone would like to thank Ipswitch for their prompt response and
                handling of this problem.

    Disclaimer:

                The information contained in this advisory is copyright (c) 2002
                Foundstone, Inc. and is believed to be accurate at the time of
                publishing, but no representation of any warranty is given, express, or
                implied as to its accuracy or completeness. In no event shall the
                author or Foundstone be liable for any direct, indirect, incidental,
                special, exemplary or consequential damages resulting from the use or
                misuse of this information. This advisory may be redistributed,
                provided that no fee is assigned and that the advisory is not modified
                in any way.