TITLE: E-Post Mail Server Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA18480 VERIFY ADVISORY: http://secunia.com/advisories/18480/ CRITICAL: Highly critical IMPACT: Security Bypass, Exposure of system information, DoS, System access WHERE: >From remote SOFTWARE: E-Post Mail Server 4.x http://secunia.com/product/6947/ E-Post Mail Server Enterprise 4.x http://secunia.com/product/6950/ E-Post SMTP Server 4.x http://secunia.com/product/6948/ E-Post SMTP Server Enterprise 4.x http://secunia.com/product/6951/ SPA-PRO Mail @Solomon 4.x http://secunia.com/product/5200/ SPA-PRO Mail @Solomon Enterprise 4.x http://secunia.com/product/6952/ SPA-PRO SMTP @Solomon 4.x http://secunia.com/product/6949/ DESCRIPTION: Secunia Research has discovered some vulnerabilities in various E-Post Mail Server products, which can be exploited by malicious users to bypass certain security restrictions, gain knowledge of certain system information, and cause a DoS (Denial of Service), or by malicious people to compromise a vulnerable system. 1) A boundary error exists in the SMTP service in the handling of the username supplied to the AUTH PLAIN and AUTH LOGIN commands. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution via an overly long username. The vulnerability has been confirmed in EPSTRS.EXE version 4.18 and 4.19, and in SPA-RS.EXE version 4.12. Other versions may also be affected. 2) A boundary error exists in the POP3 service in the handling of the username supplied to the APOP command. This can be exploited to cause a stack-based buffer overflow and allows arbitrary code execution via an overly long username. The vulnerability has been confirmed in EPSTPOP4S.EXE version 4.03, and in SPA-POP3S.EXE version 4.03. Other versions may also be affected. 3) A boundary error exists in the IMAP service in the handling of the mailbox name passed to the DELETE command. This can be exploited to crash the server via an overly long mailbox name. 4) An input validation error exists in the IMAP service in the handling of the arguments passed to the LIST command. This can be exploited to obtain directory listings of arbitrary folders on the server with privileges of the IMAP service via directory traversal attacks. It is possible to cause the service to crash by listing certain directories. 5) Input validation errors exist in the IMAP service in the handling of the APPEND, COPY, and RENAME commands. This can be exploited by malicious users to create ".MSG" files and arbitrary directories outside of the mail directory with privileges of the IMAP process via directory traversal attacks. 6) An infinite loop error exists in IMAP service in the handling of the APPEND command. This can be exploited by sending an APPEND command to the service and terminating the connection without sending the expected amount of data. Successful exploitation causes the IMAP server to consume a large amount of CPU resources, potentially causing a DoS. Vulnerabilities #3, #4, #5, and #6 have been confirmed in EPSTIMAP4S.EXE version 4.05 and in SPA-IMAP4S.EXE version 4.05. Prior versions may also be affected. The vulnerabilities affect the following products. * E-Post Mail Server Enterprise 4.10 * E-Post Mail Server 4.10 * E-Post SMTP Server Enterprise 4.10 * E-Post SMTP Server 4.10 * SPA-PRO Mail @Solomon Enterprise 4.00 * SPA-PRO Mail @Soloman 4.00 * SPA-PRO SMTP @Soloman 4.00 SOLUTION: Apply patches. E-Post Mail Server Enterprise 4.10: http://www.e-postinc.jp/bin/jp-mail@epostmsent20060117.exe E-Post Mail Server 4.10: http://www.e-postinc.jp/bin/jp-mail@epostmsstd20060117.exe E-Post SMTP Server Enterprise 4.10: http://www.e-postinc.jp/bin/jp-mail@epostssent20060117.exe E-Post SMTP Server 4.10: http://www.e-postinc.jp/bin/jp-mail@epostssstd20060117.exe SPA-PRO Mail @Solomon Enterprise 4.00: http://www.e-postinc.jp/bin/jp-mail@solomon20060117.exe SPA-PRO Mail @Soloman 4.00: http://www.e-postinc.jp/bin/jp-mail@solomon20060117.exe SPA-PRO SMTP @Soloman 4.00: http://www.e-postinc.jp/bin/jp-smtp@solomon20060117.exe Note: The vulnerabilities have been fixed in following components. * EPSTRS.EXE version 4.21 * EPSTPOP3S.EXE version 4.06 * EPSTIMAP4S.EXE version 4.07 * SPA-RS.EXE version 4.13 * SPA-POP3S.EXE version 4.04 * SPA-IMAP4S.EXE 4.06 PROVIDED AND/OR DISCOVERED BY: Tan Chew Keong, Secunia Research. ORIGINAL ADVISORY: Secunia Research: http://secunia.com/secunia_research/2006-1/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------