Secunia Security Advisory - Secunia Research has discovered some vulnerabilities in various E-Post Mail Server products, which can be exploited by malicious users to bypass certain security restrictions, gain knowledge of certain system information, and cause a DoS (Denial of Service), or by malicious people to compromise a vulnerable system.
109a4a2103984810e961f65e76c58b8c22b2fccb39d08975bb094740656e425e
TITLE:
E-Post Mail Server Products Multiple Vulnerabilities
SECUNIA ADVISORY ID:
SA18480
VERIFY ADVISORY:
http://secunia.com/advisories/18480/
CRITICAL:
Highly critical
IMPACT:
Security Bypass, Exposure of system information, DoS, System access
WHERE:
>From remote
SOFTWARE:
E-Post Mail Server 4.x
http://secunia.com/product/6947/
E-Post Mail Server Enterprise 4.x
http://secunia.com/product/6950/
E-Post SMTP Server 4.x
http://secunia.com/product/6948/
E-Post SMTP Server Enterprise 4.x
http://secunia.com/product/6951/
SPA-PRO Mail @Solomon 4.x
http://secunia.com/product/5200/
SPA-PRO Mail @Solomon Enterprise 4.x
http://secunia.com/product/6952/
SPA-PRO SMTP @Solomon 4.x
http://secunia.com/product/6949/
DESCRIPTION:
Secunia Research has discovered some vulnerabilities in various
E-Post Mail Server products, which can be exploited by malicious
users to bypass certain security restrictions, gain knowledge of
certain system information, and cause a DoS (Denial of Service), or
by malicious people to compromise a vulnerable system.
1) A boundary error exists in the SMTP service in the handling of the
username supplied to the AUTH PLAIN and AUTH LOGIN commands. This can
be exploited to cause a stack-based buffer overflow and allows
arbitrary code execution via an overly long username.
The vulnerability has been confirmed in EPSTRS.EXE version 4.18 and
4.19, and in SPA-RS.EXE version 4.12. Other versions may also be
affected.
2) A boundary error exists in the POP3 service in the handling of the
username supplied to the APOP command. This can be exploited to cause
a stack-based buffer overflow and allows arbitrary code execution via
an overly long username.
The vulnerability has been confirmed in EPSTPOP4S.EXE version 4.03,
and in SPA-POP3S.EXE version 4.03. Other versions may also be
affected.
3) A boundary error exists in the IMAP service in the handling of the
mailbox name passed to the DELETE command. This can be exploited to
crash the server via an overly long mailbox name.
4) An input validation error exists in the IMAP service in the
handling of the arguments passed to the LIST command. This can be
exploited to obtain directory listings of arbitrary folders on the
server with privileges of the IMAP service via directory traversal
attacks. It is possible to cause the service to crash by listing
certain directories.
5) Input validation errors exist in the IMAP service in the handling
of the APPEND, COPY, and RENAME commands. This can be exploited by
malicious users to create ".MSG" files and arbitrary directories
outside of the mail directory with privileges of the IMAP process via
directory traversal attacks.
6) An infinite loop error exists in IMAP service in the handling of
the APPEND command. This can be exploited by sending an APPEND
command to the service and terminating the connection without sending
the expected amount of data.
Successful exploitation causes the IMAP server to consume a large
amount of CPU resources, potentially causing a DoS.
Vulnerabilities #3, #4, #5, and #6 have been confirmed in
EPSTIMAP4S.EXE version 4.05 and in SPA-IMAP4S.EXE version 4.05. Prior
versions may also be affected.
The vulnerabilities affect the following products.
* E-Post Mail Server Enterprise 4.10
* E-Post Mail Server 4.10
* E-Post SMTP Server Enterprise 4.10
* E-Post SMTP Server 4.10
* SPA-PRO Mail @Solomon Enterprise 4.00
* SPA-PRO Mail @Soloman 4.00
* SPA-PRO SMTP @Soloman 4.00
SOLUTION:
Apply patches.
E-Post Mail Server Enterprise 4.10:
http://www.e-postinc.jp/bin/jp-mail@epostmsent20060117.exe
E-Post Mail Server 4.10:
http://www.e-postinc.jp/bin/jp-mail@epostmsstd20060117.exe
E-Post SMTP Server Enterprise 4.10:
http://www.e-postinc.jp/bin/jp-mail@epostssent20060117.exe
E-Post SMTP Server 4.10:
http://www.e-postinc.jp/bin/jp-mail@epostssstd20060117.exe
SPA-PRO Mail @Solomon Enterprise 4.00:
http://www.e-postinc.jp/bin/jp-mail@solomon20060117.exe
SPA-PRO Mail @Soloman 4.00:
http://www.e-postinc.jp/bin/jp-mail@solomon20060117.exe
SPA-PRO SMTP @Soloman 4.00:
http://www.e-postinc.jp/bin/jp-smtp@solomon20060117.exe
Note: The vulnerabilities have been fixed in following components.
* EPSTRS.EXE version 4.21
* EPSTPOP3S.EXE version 4.06
* EPSTIMAP4S.EXE version 4.07
* SPA-RS.EXE version 4.13
* SPA-POP3S.EXE version 4.04
* SPA-IMAP4S.EXE 4.06
PROVIDED AND/OR DISCOVERED BY:
Tan Chew Keong, Secunia Research.
ORIGINAL ADVISORY:
Secunia Research:
http://secunia.com/secunia_research/2006-1/
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------