Advisories
IPSwitch IMail 6.06 SMTP Remote System Access Vulnerability
Release Date:
April 24, 2001
Severity:
Possible Remote System Access
Vendor:
IPSwitch
Systems Affected:
Systems running IPSwitch's IMail 6.06 SMTP daemon. Prior versions are also most likely vulnerable.
Overview:
There exists a vulnerability within IMail that allows remote attackers to gain SYSTEM level access to servers running IMail’s SMTP daemon. The vulnerability stems from the IMail SMTP daemon not doing proper bounds checking on various input data that gets passed to the IMail Mailing List handler code. If an attacker crafts a special buffer and sends it to a remote IMail SMTP server its possible that an attacker can remotely execute code (commands) on the IMail system.
Technical Details:
In order to overwrite EIP you must know the name of a valid mailing list. IMail will happily provide you with a list of mailing lists by sending imailsrv@example.com an eMail with the word "list" (without the quotes) in the body of an eMail msg. Now take any valid mailing list name and put it into the following SMTP session request and you will succesfully cause a buffer overflow to happen within the IMail service which, if you supply a specially crafted buffer, will result in the ability to remotely execute code on the IMail server.
Client SMTP Session -> IMAIL SMTP
----------------------------------------------------
helo eeyerulez
mailfrom: <>
rcpt to: valid_mailing_list
data
From: [buffer] example.com
To: Whatever
wohooo!
.
quit
-----------------------------------------------------
Where [buffer] is 829 or so characters.
Check back to the eEye website as we will post an exploit at some point.
Vendor Status:
We would like to thank the people at IPSwitch for immediately making this a priority and releasing a patch very quickly. In fact IMail was able to get a corrective patch out within two days of contacting them. That sort of vendor response should be standard throughout the industry.
Users of IMail may download the IMail patches from:
http://ipswitch.com/support/IMail/patch-upgrades.html
Credit:
Riley Hassell
Greetings:
For all the people who have made life more interesting.
KAM, K2, Zen-Parse, Lamagra, Roland Postle, lsd from Poland and Martha Stewart.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
April 24, 2001
Severity:
Possible Remote System Access
Vendor:
IPSwitch
Systems Affected:
Systems running IPSwitch's IMail 6.06 SMTP daemon. Prior versions are also most likely vulnerable.
Overview:
There exists a vulnerability within IMail that allows remote attackers to gain SYSTEM level access to servers running IMail’s SMTP daemon. The vulnerability stems from the IMail SMTP daemon not doing proper bounds checking on various input data that gets passed to the IMail Mailing List handler code. If an attacker crafts a special buffer and sends it to a remote IMail SMTP server its possible that an attacker can remotely execute code (commands) on the IMail system.
Technical Details:
In order to overwrite EIP you must know the name of a valid mailing list. IMail will happily provide you with a list of mailing lists by sending imailsrv@example.com an eMail with the word "list" (without the quotes) in the body of an eMail msg. Now take any valid mailing list name and put it into the following SMTP session request and you will succesfully cause a buffer overflow to happen within the IMail service which, if you supply a specially crafted buffer, will result in the ability to remotely execute code on the IMail server.
Client SMTP Session -> IMAIL SMTP
----------------------------------------------------
helo eeyerulez
mailfrom: <>
rcpt to: valid_mailing_list
data
From: [buffer] example.com
To: Whatever
wohooo!
.
quit
-----------------------------------------------------
Where [buffer] is 829 or so characters.
Check back to the eEye website as we will post an exploit at some point.
Vendor Status:
We would like to thank the people at IPSwitch for immediately making this a priority and releasing a patch very quickly. In fact IMail was able to get a corrective patch out within two days of contacting them. That sort of vendor response should be standard throughout the industry.
Users of IMail may download the IMail patches from:
http://ipswitch.com/support/IMail/patch-upgrades.html
Credit:
Riley Hassell
Greetings:
For all the people who have made life more interesting.
KAM, K2, Zen-Parse, Lamagra, Roland Postle, lsd from Poland and Martha Stewart.
Copyright (c) 1998-2009 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please email alert@eEye.com for permission.
Disclaimer
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are no warranties, implied or express, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
