[VulnWatch] Buffer overflow vulnerability found in MailMax version 5

From: 0x36 (release_at_0x36.org)
Date: 05/17/03

  • Next message: Florian Weimer: "[VulnWatch] Algorithmic Complexity Attacks and the Linux Networking Code"
    Date: Sat, 17 May 2003 14:31:14 +0200
    To: news@securiteam.com, Vuln@secunia.dk, vulnwatch@vulnwatch.org, bugtraq@securityfocus.com, bugs@securitytracker.0x36.org

        ____ ,_____ __
       / \ |___ / / / Buffer Overflow Vulnerability
      ( /\ ) / / / / __ Found in MailMax Version 5
      ( \/ ) \ / ,_\ \ ( ( \ \ http://www.smartmax.com
       \____/ / \ |____\ \_\_/_/ matrix at 0x36.org

    This is a scalable e-mail server that supports SMTP, IMAP4 and POP3 protocols.
    Its TCP/IP GUI allows server administration from any Internet connected server.
    The Web Admin module allows you to define domain administrators so they can
    Maintain their own accounts. It also provides anti-spamming options.

    The problem is a Buffer Overflow in the IMAP4 protocol, within the
    IMAP4rev1 SmartMax IMAPMax 5, causing the service to stop responding
    and we can actually overwrite the exception handler on the stack allowing
    a system compromise with code execution running as SYSTEM.

    <[AFFECTED SYSTEMS]>----------------------------------------------------------
    Vulnerable systems:
     * IMAP4rev1 SmartMax IMAPMax 5 (

    Immune systems:
     * IMAP4rev1 SmartMax IMAPMax 5.5

    Medium/High - An attacker is able to cause a DoS attack on the IMAP protocol
                  The reason this is also a medium is that and attacker has to have
                  a login on the system to conduct this attack.
                  And we can actually overwrite the exception handler on the stack
                  allowing a system compromise with code execution running as SYSTEM

    <[DESCRIPTION OF WHAT THE VULNERABILITY IS]>----------------------------------
    The Vulnerability is a Buffer Overflow in the IMAP4rev1 SmartMax IMAPMax 5
    When a malicious attacker sends a large amount into the SELECT command.
    The buffer will overflow. Sending to many bytes into the buffer will cause the
    server to reject the request and nothing will happend.

    The following transcript demonstrates a sample exploitation of the

                          --------[ transcript ]-------
    nc infowarfare.dk 143
    * OK IMAP4rev1 SmartMax IMAPMax 5 Ready
    0000 OK CAPABILITY completed
    0001 LOGIN "RealUser@infowarfare.dk" "HereIsMyPassword"
    0001 OK User authenticated.
    0002 SELECT "aaa...[256]...aaaa"
                          --------[ transcript ]-------

    When this attack is used there will pop-up a message box on the server, with
    the text "Buffer overrun detected! - Program: <PATH>\IMAPMax.exe" at this time
    the service shuts down, and has to be restarted manually, from the service

    IMAP4rev1 SmartMax IMAPMax 5 is vulnerable to the above-described attacks.
    Earlier versions may be susceptible as well. To determine if a specific
    implementation is vulnerable, experiment by following the above transcript.

    <[WORK AROUNDS]>-------------------------------------------------------------
    The only work around if you do not want to update your system is to disable
    the IMAP service, else i would higly recommend updating to version 5.5 of

    <[VENDOR RESPONSE]>----------------------------------------------------------
    it's fixed in 5.5, to be released by May 10th.
    5.5 is the update to 5.0. It is a free upgrade for owners of 5.0.
    Eric Weber

    <[DISCLOSURE TIMELINE]>------------------------------------------------------
    11/04/2003 Recived a mail from Mark Litchfield, about this could be vulnerable
               by sending a larger buffer. So credits should also go to Mark
    15/04/2003 Made an analysis and found the vulnerability
    28/04/2003 Reported the vulnerability to Vendor (support-at-smartmax.com)
    02/05/2003 Recived responce from Vendor
    17/05/2003 Public Disclosure.

    <[ADDITIONAL INFORMATION]>---------------------------------------------------
    The vulnerability was discovered and reported by <Matrix at 0x36.org>

    The information in this bulletin is provided "AS IS" without warranty of any
    kind. In no event shall we be liable for any damages whatsoever including
    direct, indirect, incidental, consequential, loss of business profits or
    special damages.

  • Next message: Florian Weimer: "[VulnWatch] Algorithmic Complexity Attacks and the Linux Networking Code"

    Relevant Pages