COMMAND

    XMail

SYSTEMS AFFECTED

    XMail version prior to 0.59

PROBLEM

    Aviram Jenik found following.   XMail is an Internet and  Intranet
    mail server featuring an SMTP server, POP3 server, finger  server,
    multiple  domains,  and  more.  XMail's  parsing function does not
    perform  proper  bound  checking  when  parsing  the APOP and USER
    commands, and this allows  a remote attacker to  execute arbitrary
    code by issuing a long APOP or USER commands.

    By issuing standard POP3 commands  to the XMail POP3 server  it is
    possible to cause it to overflow an internal buffer, thus  causing
    it to execute arbitrary code.   For example, after you connect  to
    an XMail POP server, sending any of the commands:

        USER [a buffer of over 256 characters]
        APOP [a buffer of over 256 characters] [a buffer of over 256 characters]

    will  crash  the  server.   If  the  buffer  is  properly crafted,
    arbitrary code can be executed.

    The security hole was discovered by Beyond Security's SecuriTeam.

SOLUTION

    XMail version  0.59 is  OK.   A patched  version can be downloaded
    from:

        http://www.maticad.it/davide/xmail.asp