Buffer Overflow Condition in IPSwitch IMail 6

Reported April 24, 2001, by eEye.

VERSION AFFECTED

  • IPSwitch IMail 6.06 for Windows 2000 and Windows NT

 

DESCRIPTION

A vulnerability exists within the IMail 6.06 mail server that can let a remote attacker gain SYSTEM-level access to servers running the SMTP daemon. This vulnerability results from the IMail SMTP daemon's failure to properly check the bounds on the input data that the program passes to the IMail Mailing List handler code. If an attacker crafts a special buffer and sends it to a remote IMail SMTP server, he or she can remotely execute code (commands) on the IMail system. You can find detailed information and exploit code at the eEye Web site.

 

DEMONSTRATION

 

eEye provided the following demonstration as proof of concept:

 

Client SMTP Session -> IMAIL SMTP

----------------------------------------------------

helo eeyerulez

mailfrom:

rcpt to: valid_mailing_list

data

From: \[buffer\] example.com

To: Whatever

wohooo!

.

quit

-----------------------------------------------------

Where \[buffer\] is 829 or so characters.

 

 

VENDOR RESPONSE

 

The vendor, IPSwitch, has released a patch to correct this vulnerability.

 

CREDIT
Discovered by Riley Hassell and Marc Maiffret of eEye.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish