COMMAND

    IMail

SYSTEMS AFFECTED

    IPSwitch IMail server 6.0.5

PROBLEM

    Sakai Yoriyuki found following.  He found a kind of DoS to  handle
    SMTP  AUTH  command  in  IPSwitch  IMail  server  version   6.0.5.
    IPSwitch ships a product titled  IMail, an email server for  usage
    on NT servers  serving SMTP, POP3,  IMAP4, LDAP etc.   It supports
    SMTP AUTH commands (RFC2554)  and several authenticate methods  to
    relay/accept e-mail.

    Sakai  put  passwords  over  80  bytes  and less than 136 bytes in
    BASE64 format, the smtp server of IMail stop to response.  No  new
    SMTP sessions are able to created from local and remote.  In  this
    case, the length of password made a problem, no value matters.

    Example of issue:

        HELO myhost
        250 hello target
        AUTH LOGIN
        334 VXNlcm5hbWU6 (Put BASE64ed user name)
        334 UGFzc3dvcmQ6
        (Put BASE64ed user password over 80 bytes and less than 136 bytes; the length of password is proximal.)
        (The connection is disconnected.)

    When we put over about 136 bytes for password, the server responds
    the status of "552"(command  exceeds maximum length) and  continue
    to work.   If the  length of  password is  less than  80 bytes, it
    works normally.

    This bug is both remotely and locally exploitable.  Tested version
    of IMail are 6 Gold (Japanese; No minor version is available)  and
    6.0.5 (English) on Windows NT 4.0 Server SP6a  (Japanese/English),
    Windows 2000 Server (No  SPs) (Japanese/English) and Windows  2000
    Server SP1 (Japanese/English).

SOLUTION

    How to adapt patch(s) for IMail 6.x:

        http://www.ipswitch.com/support/IMail/patch-upgrades.html

    SMTPd32, POP3d32 and IMAP4d32 Patch for IMail Server 6.05:

        ftp://ftp.ipswitch.com/Ipswitch/Product_Support/Imail/IM605HF5.exe