[NT] Qualcomm WorldMail IMAP Server String Literal Processing Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Qualcomm WorldMail IMAP Server String Literal Processing Overflow
------------------------------------------------------------------------


SUMMARY

<http://www.eudora.com/worldmail/> Qualcomm WorldMail is "an email and
messaging server designed for use in small to large enterprises that
supports IMAP, POP3, SMTP, and web mail features".

Remote exploitation of a buffer overflow vulnerability in Qualcomm
WorldMail IMAP Server allows unauthenticated attackers to execute
arbitrary code.

DETAILS

Vulnerable Systems:
* Qualcomm Worldmail server version 3.0

Successful exploitation of this vulnerability allows attackers to execute
arbitrary code with SYSTEM privileges. This leads to a total compromise of
the mail server.

In order to trigger this overflow, an attacker only needs to send a long
string ending with a '}' character. This will result in a stack overflow
and the attacker may use an SEH overwrite or a standard EBP or EIP
overwrite in order to gain control of the process trivially.

This is a pre-authentication vulnerability. To exploit this vulnerability
an attacker would need to be able connect to the e-mail server and the
IMAP module would have to be enabled (default). Only one command is
required to trigger this vulnerability.

Workaround:
There is no workaround currently available except for disabling IMAP
services.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-4267>
CAN-2005-4267

Disclosure Timeline:
* 15.12.05 - Initial vendor notification
* 20.12.05 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:
<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359>
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=359



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages