Reported April 24, 2001, by eEye.
VERSION AFFECTED
-
IPSwitch IMail 6.06 for Windows 2000 and Windows NT
DESCRIPTION
A
vulnerability exists within the IMail 6.06 mail server that can let a remote
attacker gain SYSTEM-level access to servers running the SMTP daemon. This
vulnerability results from the IMail SMTP daemon's failure to properly check the
bounds on the input data that the program passes to the IMail Mailing List
handler code. If an attacker crafts a special buffer and sends it to a remote
IMail SMTP server, he or she can remotely execute code (commands) on the IMail
system. You can find detailed information and exploit code at the eEye
Web site.
DEMONSTRATION
eEye provided the following demonstration as proof of concept:
Client SMTP Session -> IMAIL SMTP
----------------------------------------------------
helo eeyerulez
mailfrom:
rcpt to: valid_mailing_list
data
From: \[buffer\] example.com
To: Whatever
wohooo!
.
quit
-----------------------------------------------------
Where \[buffer\] is 829 or so characters.
VENDOR RESPONSE
The vendor, IPSwitch, has released a patch to correct this vulnerability.
CREDIT
Discovered by Riley Hassell and Marc Maiffret of
eEye.