[NT] Buffer Overflow in Ipswitch IMail (LDAP)

From: support@securiteam.com
Date: 05/21/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Tue, 21 May 2002 08:54:35 +0200 (CEST)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Buffer Overflow in Ipswitch IMail (LDAP)
------------------------------------------------------------------------

SUMMARY

A buffer overflow exists in the LDAP component of
<http://www.ipswitch.com/> Ipswitch's IMail software suite. Exploitation
of this vulnerability allows remote execution of arbitrary code with the
privileges of the IMail daemon (default is SYSTEM).

DETAILS

Vulnerable systems:
 * Ipswitch IMail version 7.1

Immune systems:
 * Ipswitch IMail version 7.1 Hotfix 1

The IMail server ships with several components including an LDAP service.
The LDAP server allows a remote client read access to the IMail directory.
A vulnerability exists during the authentication process that allows an
outside attacker remote access to the server with the privileges of the
SYSTEM account.

When "binding" to the server with simple authentication a "bind DN" and
password can be specified. By providing an overly long string to the "bind
DN" parameter, it is possible to overwrite the saved return address,
control the instruction pointer, and execute arbitrary code in the remote
process.

Solution:
Refer to the advisory published by Ipswitch at:
 <http://www.ipswitch.com/Support/IMail/patch-upgrades.html>
http://www.ipswitch.com/Support/IMail/patch-upgrades.html

Customers should obtain upgraded software by contacting their customer
support representative to receive the required patches.

ADDITIONAL INFORMATION

The information has been provided by <mailto:labs@foundstone.com>
Foundstone Labs.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages