Dennis Rand
12/04/03, 10:20
Buffer Overflow Vulnerability
Found in MailMax Version 5
http://www.smartmax.com
=20
Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------
-----[SUMMARY
This is a scalable e-mail server that supports SMTP, IMAP4 and POP3
protocols.=20
Its TCP/IP GUI allows server administration from any Internet connected
server.=20
The Web Admin module allows you to define domain administrators so they =
can=20
Maintain their own accounts. It also provides anti-spamming options.=20
The problem is a Buffer Overflow in the IMAP4 protocol, within the=20
IMAP4rev1 SmartMax IMAPMax 5, causing the service to stop responding.
-----[AFFECTED SYSTEMS
Vulnerable systems:
* IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.6 and 5.0.10.7)
Immune systems:
* IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.8)
* IMAP4rev1 SmartMax IMAPMax 5.5
-----[SEVERITY
Medium - An attacker is able to cause a DoS attack on the IMAP protocol
But it has no effect on the rest of the system.
=20
-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the IMAP4rev1 SmartMax IMAPMax =
5
When a malicious attacker sends a large amount into the password field, =
in
The login procedure.=20
The following transcript demonstrates a sample exploitation of the=20
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc 127.0.0.1 143
* OK IMAP4rev1 SmartMax IMAPMax 5 Ready
0000 CAPABILITY
* CAPABILITY IMAP4rev1
0000 OK CAPABILITY completed
0001 LOGIN "mail@mail.com" "A..[50] ..A"
0001 NO Invalid user name or password.
0001 NO Invalid user name or password.
----------------------------- [Transcript] -----------------------------
When this attack is used there will pop-up a message box on the server, =
with
the text
"Buffer overrun detected! - Program: <PATH>\IMAPMax.exe" at this time =
the
service=20
shuts down, and has to be restarted manually, from the service manager.
-----[DETECTION
IMAP4rev1 SmartMax IMAPMax 5 is vulnerable to the above-described =
attacks.=20
Earlier versions may be susceptible as well. To determine if a specific=20
implementation is vulnerable, experiment by following the above =
transcript.=20
-----[WORK AROUNDS
* With this vulnerable version of IMAP, the only workaround is to =
disable
the=20
IMAP4rev1 SmartMax IMAPMax 5 service, there are no workaround in the
configuration.
* SmartMax has released a patched version of IMAPMax.exe version =
5.0.10.8
which corrects=20
the problem. It can be downloaded at
ftp://ftp.smartmax.com/updates/MailMax 5.0/Files/
Remember to ensure that the file version is 5.0.10.8 or higher.
* Update your MailMax Version 5 to the released version 5.5
-----[VENDOR RESPONSE
Thank you for the buffer overrun security notification in our=20
ImapMax module for MailMax 5. I'm enclosing an updated IMAPMAX=20
which fixes the buffer overflow vulnerability? We'll be posting=20
this in our MailMax 5.5 update next week.=20
Regards,
Eric Weber
-----[DISCLOSURE TIMELINE
25/03/2003 Found the Vulnerability, and made an analysis.
27/03/2003 Reported to Vendor (sales@smartmax.com, =
features@smartmax.com,
support@smartmax.com).
27/03/2003 Vendor reply, they now know of the vulnerabilities.
27/03/2003 Vendor send a patch (Version 5.0.10.7) of the IMAPMax.exe =
still
contains the vulnerability.
27/03/2003 Received version 5.0.10.8 from Vendor.
27/03/2003 Tested version 5.0.10.8 from vendor, and this version is not
vulnerable.
27/03/2003 Fix made public.
11/04/2003 Public Disclosure.
-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk> =
Dennis
Rand
-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of =
any
kind.=20
In no event shall we be liable for any damages whatsoever including =
direct,
indirect,=20
incidental, consequential, loss of business profits or special damages.=20
Found in MailMax Version 5
http://www.smartmax.com
=20
Discovered by Dennis Rand
www.Infowarfare.dk
------------------------------------------------------------------------
-----[SUMMARY
This is a scalable e-mail server that supports SMTP, IMAP4 and POP3
protocols.=20
Its TCP/IP GUI allows server administration from any Internet connected
server.=20
The Web Admin module allows you to define domain administrators so they =
can=20
Maintain their own accounts. It also provides anti-spamming options.=20
The problem is a Buffer Overflow in the IMAP4 protocol, within the=20
IMAP4rev1 SmartMax IMAPMax 5, causing the service to stop responding.
-----[AFFECTED SYSTEMS
Vulnerable systems:
* IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.6 and 5.0.10.7)
Immune systems:
* IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.8)
* IMAP4rev1 SmartMax IMAPMax 5.5
-----[SEVERITY
Medium - An attacker is able to cause a DoS attack on the IMAP protocol
But it has no effect on the rest of the system.
=20
-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the IMAP4rev1 SmartMax IMAPMax =
5
When a malicious attacker sends a large amount into the password field, =
in
The login procedure.=20
The following transcript demonstrates a sample exploitation of the=20
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc 127.0.0.1 143
* OK IMAP4rev1 SmartMax IMAPMax 5 Ready
0000 CAPABILITY
* CAPABILITY IMAP4rev1
0000 OK CAPABILITY completed
0001 LOGIN "mail@mail.com" "A..[50] ..A"
0001 NO Invalid user name or password.
0001 NO Invalid user name or password.
----------------------------- [Transcript] -----------------------------
When this attack is used there will pop-up a message box on the server, =
with
the text
"Buffer overrun detected! - Program: <PATH>\IMAPMax.exe" at this time =
the
service=20
shuts down, and has to be restarted manually, from the service manager.
-----[DETECTION
IMAP4rev1 SmartMax IMAPMax 5 is vulnerable to the above-described =
attacks.=20
Earlier versions may be susceptible as well. To determine if a specific=20
implementation is vulnerable, experiment by following the above =
transcript.=20
-----[WORK AROUNDS
* With this vulnerable version of IMAP, the only workaround is to =
disable
the=20
IMAP4rev1 SmartMax IMAPMax 5 service, there are no workaround in the
configuration.
* SmartMax has released a patched version of IMAPMax.exe version =
5.0.10.8
which corrects=20
the problem. It can be downloaded at
ftp://ftp.smartmax.com/updates/MailMax 5.0/Files/
Remember to ensure that the file version is 5.0.10.8 or higher.
* Update your MailMax Version 5 to the released version 5.5
-----[VENDOR RESPONSE
Thank you for the buffer overrun security notification in our=20
ImapMax module for MailMax 5. I'm enclosing an updated IMAPMAX=20
which fixes the buffer overflow vulnerability? We'll be posting=20
this in our MailMax 5.5 update next week.=20
Regards,
Eric Weber
-----[DISCLOSURE TIMELINE
25/03/2003 Found the Vulnerability, and made an analysis.
27/03/2003 Reported to Vendor (sales@smartmax.com, =
features@smartmax.com,
support@smartmax.com).
27/03/2003 Vendor reply, they now know of the vulnerabilities.
27/03/2003 Vendor send a patch (Version 5.0.10.7) of the IMAPMax.exe =
still
contains the vulnerability.
27/03/2003 Received version 5.0.10.8 from Vendor.
27/03/2003 Tested version 5.0.10.8 from vendor, and this version is not
vulnerable.
27/03/2003 Fix made public.
11/04/2003 Public Disclosure.
-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk> =
Dennis
Rand
-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of =
any
kind.=20
In no event shall we be liable for any damages whatsoever including =
direct,
indirect,=20
incidental, consequential, loss of business profits or special damages.=20