COMMAND

    IMail

SYSTEMS AFFECTED

    IPSwitch IMail 6.06 (prior versions are most likely vulnerable)

PROBLEM

    Following is  based on  a eEye  Digital Security  Advisory.  There
    exists a vulnerability within  IMail that allows remote  attackers
    to  gain  SYSTEM  level  access  to  servers  running IMail's SMTP
    daemon.  The  vulnerability stems from  the IMail SMTP  daemon not
    doing  proper  bounds  checking  on  various  input data that gets
    passed to  the IMail  Mailing List  handler code.   If an attacker
    crafts a special buffer and sends it to a remote IMail SMTP server
    its possible that an attacker can remotely execute code (commands)
    on the IMail system.   Credit for this goes  to Riley Hassell  and
    Marc Maiffret.

    In  order  to  overwrite  EIP  you  must  know the name of a valid
    mailing  list.   IMail  will  happily  provide  you with a list of
    mailing lists  by sending  imailsrv@example.com an  eMail with the
    word "list" (without the quotes) in the body of an eMail msg.  Now
    take any  valid mailing  list name  and put  it into the following
    SMTP  session  request  and  you  will  succesfully cause a buffer
    overflow to happen within the  IMail service which, if you  supply
    a  specially  crafted  buffer,  will  result  in  the  ability  to
    remotely execute code on the IMail server.

    Client SMTP Session -> IMAIL SMTP

        helo eeyerulez
        mailfrom: <>
        rcpt to: valid_mailing_list
        data
        From: [buffer] example.com
        To: Whatever
        wohooo!
        .
        quit

    Where [buffer] is 829 or so characters.

    Check back to the eEye website as we will post an exploit at  some
    point.

SOLUTION

    IMail was able to  get a corrective patch  out within two days  of
    contacting them.  That sort of vendor response should be  standard
    throughout the industry.   Users of IMail  may download the  IMail
    patches from:

        http://ipswitch.com/support/IMail/patch-upgrades.html