Buffer Overflow Vulnerability
Found in MailMax Version 5
http://www.smartmax.com
Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------
-----[SUMMARY
This is a scalable e-mail server that supports SMTP, IMAP4 and POP3
protocols.
Its TCP/IP GUI allows server administration from any Internet connected
server.
The Web Admin module allows you to define domain administrators so they can
Maintain their own accounts. It also provides anti-spamming options.
The problem is a Buffer Overflow in the IMAP4 protocol, within the
IMAP4rev1 SmartMax IMAPMax 5, causing the service to stop responding.
-----[AFFECTED SYSTEMS
Vulnerable systems:
* IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.6 and 5.0.10.7)
Immune systems:
* IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.8)
* IMAP4rev1 SmartMax IMAPMax 5.5
-----[SEVERITY
Medium - An attacker is able to cause a DoS attack on the IMAP protocol
But it has no effect on the rest of the system.
-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the IMAP4rev1 SmartMax IMAPMax 5
When a malicious attacker sends a large amount into the password field, in
The login procedure.
The following transcript demonstrates a sample exploitation of the
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc 127.0.0.1 143
* OK IMAP4rev1 SmartMax IMAPMax 5 Ready
0000 CAPABILITY
* CAPABILITY IMAP4rev1
0000 OK CAPABILITY completed
0001 LOGIN "mailat_private" "A..[50] ..A"
0001 NO Invalid user name or password.
0001 NO Invalid user name or password.
----------------------------- [Transcript] -----------------------------
When this attack is used there will pop-up a message box on the server, with
the text
"Buffer overrun detected! - Program: <PATH>\IMAPMax.exe" at this time the
service
shuts down, and has to be restarted manually, from the service manager.
-----[DETECTION
IMAP4rev1 SmartMax IMAPMax 5 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above transcript.
-----[WORK AROUNDS
* With this vulnerable version of IMAP, the only workaround is to disable
the
IMAP4rev1 SmartMax IMAPMax 5 service, there are no workaround in the
configuration.
* SmartMax has released a patched version of IMAPMax.exe version 5.0.10.8
which corrects
the problem. It can be downloaded at
ftp://ftp.smartmax.com/updates/MailMax 5.0/Files/
Remember to ensure that the file version is 5.0.10.8 or higher.
* Update your MailMax Version 5 to the released version 5.5
-----[VENDOR RESPONSE
Thank you for the buffer overrun security notification in our
ImapMax module for MailMax 5. I'm enclosing an updated IMAPMAX
which fixes the buffer overflow vulnerability? We'll be posting
this in our MailMax 5.5 update next week.
Regards,
Eric Weber
-----[DISCLOSURE TIMELINE
25/03/2003 Found the Vulnerability, and made an analysis.
27/03/2003 Reported to Vendor (salesat_private, featuresat_private,
supportat_private).
27/03/2003 Vendor reply, they now know of the vulnerabilities.
27/03/2003 Vendor send a patch (Version 5.0.10.7) of the IMAPMax.exe still
contains the vulnerability.
27/03/2003 Received version 5.0.10.8 from Vendor.
27/03/2003 Tested version 5.0.10.8 from vendor, and this version is not
vulnerable.
27/03/2003 Fix made public.
11/04/2003 Public Disclosure.
-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <derat_private> Dennis
Rand
-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect,
incidental, consequential, loss of business profits or special damages.
This archive was generated by hypermail 2b30 : Sat Apr 12 2003 - 01:06:14 PDT