Ipswitch IMail IMAP List Command DoS Vulnerability iDEFENSE Security Advisory 12.06.05 www.idefense.com/application/poi/display?id=347&type=vulnerabilities December 6, 2005 I. BACKGROUND Ipswitch Imail Server is an email server that is part of the IpSwitch Collaboration suit. Imail Supports POP3, SMTP, IMAP and web based email access. More Information can be located on the vendor’s site at: http://www.ipswitch.com/Products/collaboration/index.html II. DESCRIPTION Remote exploitation of a denial of service (DoS) vulnerability in Ipswitch Inc.'s Imail IMAP server allows attackers to crash the target service, thereby preventing legitimate use. The problem specifically exists in handling long arguments to the LIST command. When a LIST command of approximately 8000 bytes is supplied, internal string parsing routines can be manipulated in such a way as to reference non-allocated sections of memory. This parsing error results in an unhandled access violation, forcing the daemon to exit. III. ANALYSIS Exploitation allows remote attackers to crash vulnerable IMAP servers and thereby prevent legitimate usage. The LIST command is only available post authentication and therefore valid credentials are required to exploit this vulnerability. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Ipswitch IMail 8.2. V. WORKAROUND As this vulnerability is exploited after authentication occurs, ensuring that only trusted users have accounts can mitigate the risk somewhat. As a more effective workaround, consider limiting access to the IMAP server by filtering TCP port 143. If possible, consider disabling IMAP and forcing users to use POP3. VI. VENDOR RESPONSE Ipswitch Collaboration Suite 2.02 has been released to address this issue and is available for download at: http://www.ipswitch.com/support/ics/updates/ics202.asp IMail Server 8.22 Patch has been released to address this issue and is available for download at: http://www.ipswitch.com/support/imail/releases/imail_professional/im822.asp VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2923 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/08/2005 Initial vendor notification 09/13/2005 Initial vendor response 10/06/2005 Coordinated public disclosure IX. CREDIT Sebastian Apelt is credited with discovering this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright © 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/