lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 11 Apr 2003 13:54:15 +0200
From: "Dennis Rand" <der@...owarfare.dk>
To: <bugtraq@...urityfocus.com>
Subject: Buffer Overflow Vulnerability Found in MailMax Version 5


                        Buffer Overflow Vulnerability
                         Found in MailMax Version 5
                           http://www.smartmax.com
                         
                          Discovered by Dennis Rand
                             www.Infowarfare.dk
------------------------------------------------------------------------


-----[SUMMARY
This is a scalable e-mail server that supports SMTP, IMAP4 and POP3
protocols. 
Its TCP/IP GUI allows server administration from any Internet connected
server. 
The Web Admin module allows you to define domain administrators so they can 
Maintain their own accounts. It also provides anti-spamming options. 

The problem is a Buffer Overflow in the IMAP4 protocol, within the 
IMAP4rev1 SmartMax IMAPMax 5, causing the service to stop responding.


-----[AFFECTED SYSTEMS
Vulnerable systems:
 * IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.6 and 5.0.10.7)

Immune systems:
 * IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.8)
 * IMAP4rev1 SmartMax IMAPMax 5.5


-----[SEVERITY
Medium - An attacker is able to cause a DoS attack on the IMAP protocol
         But it has no effect on the rest of the system.
         

-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the IMAP4rev1 SmartMax IMAPMax 5
When a malicious attacker sends a large amount into the password field, in
The login procedure. 


The following transcript demonstrates a sample exploitation of the 
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc 127.0.0.1 143
* OK IMAP4rev1 SmartMax IMAPMax 5 Ready
0000 CAPABILITY
* CAPABILITY IMAP4rev1
0000 OK CAPABILITY completed
0001 LOGIN "mail@...l.com" "A..[50] ..A"
0001 NO Invalid user name or password.
0001 NO Invalid user name or password.

----------------------------- [Transcript] -----------------------------

When this attack is used there will pop-up a message box on the server, with
the text
"Buffer overrun detected! - Program: <PATH>\IMAPMax.exe" at this time the
service 
shuts down, and has to be restarted manually, from the service manager.


-----[DETECTION
IMAP4rev1 SmartMax IMAPMax 5 is vulnerable to the above-described attacks. 
Earlier versions may be susceptible as well. To determine if a specific 
implementation is vulnerable, experiment by following the above transcript. 


-----[WORK AROUNDS
*   With this vulnerable version of IMAP, the only workaround is to disable
the 
    IMAP4rev1 SmartMax IMAPMax 5 service, there are no workaround in the
configuration.

*    SmartMax has released a patched version of IMAPMax.exe version 5.0.10.8
which corrects 
     the problem. It can be downloaded at
ftp://ftp.smartmax.com/updates/MailMax 5.0/Files/
     Remember to ensure that the file version is 5.0.10.8 or higher.

*    Update your MailMax Version 5 to the released version 5.5



-----[VENDOR RESPONSE
Thank you for the buffer overrun security notification in our 
ImapMax module for MailMax 5.  I'm enclosing an updated IMAPMAX 
which fixes the buffer overflow vulnerability?  We'll be posting 
this in our MailMax 5.5 update next week. 
Regards,
Eric Weber


-----[DISCLOSURE TIMELINE
25/03/2003 Found the Vulnerability, and made an analysis.
27/03/2003 Reported to Vendor (sales@...rtmax.com, features@...rtmax.com,
support@...rtmax.com).
27/03/2003 Vendor reply, they now know of the vulnerabilities.
27/03/2003 Vendor send a patch (Version 5.0.10.7) of the IMAPMax.exe still
contains the vulnerability.
27/03/2003 Received version 5.0.10.8 from Vendor.
27/03/2003 Tested version 5.0.10.8 from vendor, and this version is not
vulnerable.
27/03/2003 Fix made public.
11/04/2003 Public Disclosure.


-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@...owarfare.dk> Dennis
Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind. 
In no event shall we be liable for any damages whatsoever including direct,
indirect, 
incidental, consequential, loss of business profits or special damages.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ