Ipswitch IMail IMAP STATUS Command Mailbox Name Overflow
2005-05-24T15:09:11
ID OSVDB:16806 Type osvdb Reporter iDEFENSE(idlabs-advisories@idefense.com) Modified 2005-05-24T15:09:11
Description
Vulnerability Description
A remote overflow exists in IMail Server. The IMAP service (IMAPD32.EXE) fails to perform proper bounds checking resulting in a buffer overflow. By passing an overly long mailbox name to the 'STATUS' command, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.
Technical Description
Valid login credentials are required to use the STATUS command.
Solution Description
Upgrade to version 8.2 Hotfix 2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.
Short Description
A remote overflow exists in IMail Server. The IMAP service (IMAPD32.EXE) fails to perform proper bounds checking resulting in a buffer overflow. By passing an overly long mailbox name to the 'STATUS' command, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.
{"type": "osvdb", "published": "2005-05-24T15:09:11", "href": "https://vulners.com/osvdb/OSVDB:16806", "hashmap": [{"key": "affectedSoftware", "hash": "c65da895a2cca724da7b2ff7f0253c2d"}, {"key": "bulletinFamily", "hash": "f9fa10ba956cacf91d7878861139efb9"}, {"key": "cvelist", "hash": "a43736876a07a84ec008689b8bd3a639"}, {"key": "cvss", "hash": "2bdabeb49c44761f9565717ab0e38165"}, {"key": "description", "hash": "2ecc17bff30506c641a1292989516afb"}, {"key": "href", "hash": "b78cd9128edaf8a4f8fe8756c435d296"}, {"key": "modified", "hash": "7f5075478d834145ce4f055a778ff0d1"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "7f5075478d834145ce4f055a778ff0d1"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "a88d95884a78dd1759dad8d8214f8f97"}, {"key": "title", "hash": "1c966ca65609cefc8b2ffd3fd95fa57e"}, {"key": "type", "hash": "1327ac71f7914948578f08c54f772b10"}], "bulletinFamily": "software", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/", "score": 10.0}, "viewCount": 1, "history": [], "edition": 1, "objectVersion": "1.2", "reporter": "iDEFENSE(idlabs-advisories@idefense.com)", "title": "Ipswitch IMail IMAP STATUS Command Mailbox Name Overflow", "affectedSoftware": [{"operator": "eq", "version": "8.13", "name": "IMail Server"}], "enchantments": {"score": {"value": 8.5, "vector": "NONE", "modified": "2017-04-28T13:20:13"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2005-1256"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:8705"]}, {"type": "saint", "idList": ["SAINT:4BF6E5384B615AA36770D6189D335FF0", "SAINT:44425F5A2E2AE680B5AD01A0A4FE22AD", "SAINT:2489B57B7D27FB398894454B8763D182"]}], "modified": "2017-04-28T13:20:13"}, "vulnersScore": 8.5}, "references": [], "id": "OSVDB:16806", "hash": "09ee405e1d41202d08ccecfdd1ef641a1638b6e8a6ef43a51ece5aafb1365210", "lastseen": "2017-04-28T13:20:13", "cvelist": ["CVE-2005-1256"], "modified": "2005-05-24T15:09:11", "description": "## Vulnerability Description\nA remote overflow exists in IMail Server. The IMAP service (IMAPD32.EXE) fails to perform proper bounds checking resulting in a buffer overflow. By passing an overly long mailbox name to the 'STATUS' command, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Technical Description\nValid login credentials are required to use the STATUS command.\n## Solution Description\nUpgrade to version 8.2 Hotfix 2 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nA remote overflow exists in IMail Server. The IMAP service (IMAPD32.EXE) fails to perform proper bounds checking resulting in a buffer overflow. By passing an overly long mailbox name to the 'STATUS' command, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.ipswitch.com/products/IMail_Server/index.html\n[Vendor Specific Advisory URL](http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html)\nSecurity Tracker: 1014047\n[Secunia Advisory ID:15483](https://secuniaresearch.flexerasoftware.com/advisories/15483/)\n[Related OSVDB ID: 16805](https://vulners.com/osvdb/OSVDB:16805)\n[Related OSVDB ID: 16807](https://vulners.com/osvdb/OSVDB:16807)\n[Related OSVDB ID: 16803](https://vulners.com/osvdb/OSVDB:16803)\n[Related OSVDB ID: 16804](https://vulners.com/osvdb/OSVDB:16804)\nOther Advisory URL: http://www.idefense.com/application/poi/display?id=244&type=vulnerabilities\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-05/0272.html\n[CVE-2005-1256](https://vulners.com/cve/CVE-2005-1256)\n"}
{"cve": [{"lastseen": "2019-05-29T18:08:13", "bulletinFamily": "NVD", "description": "Stack-based buffer overflow in the IMAP daemon (IMAPD32.EXE) in IMail 8.13 in Ipswitch Collaboration Suite (ICS), and other versions before IMail Server 8.2 Hotfix 2, allows remote authenticated users to execute arbitrary code via a STATUS command with a long mailbox name.", "modified": "2008-11-15T05:46:00", "id": "CVE-2005-1256", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-1256", "published": "2005-05-25T04:00:00", "title": "CVE-2005-1256", "type": "cve", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "saint": [{"lastseen": "2019-05-29T17:19:48", "bulletinFamily": "exploit", "description": "Added: 11/29/2005 \nCVE: [CVE-2005-1256](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1256>) \nBID: [13727](<http://www.securityfocus.com/bid/13727>) \nOSVDB: [16806](<http://www.osvdb.org/16806>) \n\n\n### Background\n\n[IMail](<http://www.ipswitch.com/products/imail/index.asp>) is a mail server for Windows platforms. It includes SMTP, POP, IMAP, and LDAP services, and a web interface and web calendaring service. \n\n### Problem\n\nA buffer overflow when processing long mailbox names specified in the STATUS command allows an authenticated user to execute arbitrary code. \n\n### Resolution\n\n[Upgrade](<http://www.ipswitch.com/support/IMail/patch-upgrades.html>) to IMail 8.15 with [Hotfix 2](<http://www.ipswitch.com/Support/ICS/updates/im815hf1.html>) or higher, IMail 8.2 with [Hotfix 2](<http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html>) or higher, or Ipswitch Collaboration Suite 2.0 with [Hotfix 2](<http://www.ipswitch.com/Support/ICS/updates/ics2hf2.html>) or higher. \n\n### References\n\n[http://www.idefense.com/intelligence/vulnerabilities/display.php?id=244&type=vulnerabilities ](<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=244&type=vulnerabilities\n>) \n\n\n### Limitations\n\nExploit works on IpSwitch IMail Server 8.14 on Windows 2000 SP4 and Windows Server 2003 SP2 with KB956572. A valid IMAP login and password are required. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2005-11-29T00:00:00", "published": "2005-11-29T00:00:00", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/imail_imap_status", "id": "SAINT:4BF6E5384B615AA36770D6189D335FF0", "type": "saint", "title": "IMail IMAP STATUS buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-06-04T23:19:33", "bulletinFamily": "exploit", "description": "Added: 11/29/2005 \nCVE: [CVE-2005-1256](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1256>) \nBID: [13727](<http://www.securityfocus.com/bid/13727>) \nOSVDB: [16806](<http://www.osvdb.org/16806>) \n\n\n### Background\n\n[IMail](<http://www.ipswitch.com/products/imail/index.asp>) is a mail server for Windows platforms. It includes SMTP, POP, IMAP, and LDAP services, and a web interface and web calendaring service. \n\n### Problem\n\nA buffer overflow when processing long mailbox names specified in the STATUS command allows an authenticated user to execute arbitrary code. \n\n### Resolution\n\n[Upgrade](<http://www.ipswitch.com/support/IMail/patch-upgrades.html>) to IMail 8.15 with [Hotfix 2](<http://www.ipswitch.com/Support/ICS/updates/im815hf1.html>) or higher, IMail 8.2 with [Hotfix 2](<http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html>) or higher, or Ipswitch Collaboration Suite 2.0 with [Hotfix 2](<http://www.ipswitch.com/Support/ICS/updates/ics2hf2.html>) or higher. \n\n### References\n\n[http://www.idefense.com/intelligence/vulnerabilities/display.php?id=244&type=vulnerabilities ](<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=244&type=vulnerabilities\n>) \n\n\n### Limitations\n\nExploit works on IpSwitch IMail Server 8.14 on Windows 2000 SP4 and Windows Server 2003 SP2 with KB956572. A valid IMAP login and password are required. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2005-11-29T00:00:00", "published": "2005-11-29T00:00:00", "id": "SAINT:44425F5A2E2AE680B5AD01A0A4FE22AD", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/imail_imap_status", "title": "IMail IMAP STATUS buffer overflow", "type": "saint", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2016-10-03T15:01:54", "bulletinFamily": "exploit", "description": "Added: 11/29/2005 \nCVE: [CVE-2005-1256](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1256>) \nBID: [13727](<http://www.securityfocus.com/bid/13727>) \nOSVDB: [16806](<http://www.osvdb.org/16806>) \n\n\n### Background\n\n[IMail](<http://www.ipswitch.com/products/imail/index.asp>) is a mail server for Windows platforms. It includes SMTP, POP, IMAP, and LDAP services, and a web interface and web calendaring service. \n\n### Problem\n\nA buffer overflow when processing long mailbox names specified in the STATUS command allows an authenticated user to execute arbitrary code. \n\n### Resolution\n\n[Upgrade](<http://www.ipswitch.com/support/IMail/patch-upgrades.html>) to IMail 8.15 with [Hotfix 2](<http://www.ipswitch.com/Support/ICS/updates/im815hf1.html>) or higher, IMail 8.2 with [Hotfix 2](<http://www.ipswitch.com/support/imail/releases/imail_professional/im82hf2.html>) or higher, or Ipswitch Collaboration Suite 2.0 with [Hotfix 2](<http://www.ipswitch.com/Support/ICS/updates/ics2hf2.html>) or higher. \n\n### References\n\n[http://www.idefense.com/intelligence/vulnerabilities/display.php?id=244&type=vulnerabilities ](<http://www.idefense.com/intelligence/vulnerabilities/display.php?id=244&type=vulnerabilities\n>) \n\n\n### Limitations\n\nExploit works on IpSwitch IMail Server 8.14 on Windows 2000 SP4 and Windows Server 2003 SP2 with KB956572. A valid IMAP login and password are required. \n\n### Platforms\n\nWindows 2000 \nWindows Server 2003 \n \n\n", "modified": "2005-11-29T00:00:00", "published": "2005-11-29T00:00:00", "id": "SAINT:2489B57B7D27FB398894454B8763D182", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/imail_imap_status", "type": "saint", "title": "IMail IMAP STATUS buffer overflow", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:12", "bulletinFamily": "software", "description": "Ipswitch IMail IMAP STATUS Remote Buffer Overflow Vulnerability\r\n\r\niDEFENSE Security Advisory 05.24.05\r\nwww.idefense.com/application/poi/display?id=244&type=vulnerabilities\r\nMay 24, 2005\r\n\r\nI. BACKGROUND\r\n\r\nIpswitch Collaboration Suite (ICS) is a comprehensive communication and \r\ncollaboration solution for Microsoft Windows with a customer base of \r\nover 53 million users. More information is available on the vendor's \r\nwebsite:\r\n\r\n http://www.ipswitch.com/products/IMail_Server/index.html\r\n\r\nII. DESCRIPTION\r\n\r\nRemote exploitation of a buffer overflow vulnerability in Ipswitch \r\nInc.'s Imail IMAP server allows attackers to execute arbitrary code with\r\n\r\nSystem privileges. \r\n\r\nThe vulnerability specifically exists in the handling of a long mailbox \r\nname to the STATUS command. A long mailbox name argument will cause a \r\nstack based buffer overflow, providing the attacker with full control \r\nover the saved return address on the stack. Once this has been achieved,\r\n\r\nexecution of arbitrary code becomes trivial. As this vulnerability is in\r\n\r\nthe STATUS command, which requires that a session is authenticated, \r\nvalid credentials are required.\r\n\r\nIII. ANALYSIS\r\n\r\nSuccessful exploitation allows remote attackers to execute arbitrary \r\ncode with System privileges. Valid credentials are required for \r\nexploitation, which lessens the impact of this vulnerability.\r\n\r\nIV. DETECTION\r\n\r\niDEFENSE has confirmed the existence of this vulnerability in Ipswitch \r\nIMail version 8.13. It is suspected that earlier versions are also \r\nvulnerable.\r\n\r\nV. WORKAROUND\r\n\r\nAs this vulnerability is exploited after authentication occurs, ensuring\r\n\r\nthat only trusted users have accounts can mitigate the risk somwhat. As \r\na more effective workaround, consider limiting access to the IMAP server\r\n\r\nby filtering TCP port 143. If possible, consider disabling IMAP and \r\nforcing users to use POP3.\r\n\r\nVI. VENDOR RESPONSE\r\n\r\nThe vendor has released the following patch to fix this vulnerability:\r\n\r\nftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail82hf2.exe\r\n\r\nThe associated vendor advisory can be found at:\r\n\r\nhttp://www.ipswitch.com/support/imail/releases/imail_professional/im82hf\r\n2.html\r\n\r\nVII. CVE INFORMATION\r\n\r\nThe Common Vulnerabilities and Exposures (CVE) project has assigned the\r\nname CAN-2005-1256 to this issue. This is a candidate for inclusion in\r\nthe CVE list (http://cve.mitre.org), which standardizes names for\r\nsecurity problems.\r\n\r\nVIII. DISCLOSURE TIMELINE\r\n\r\n04/25/2005 Initial vendor notification\r\n05/10/2005 Initial vendor response\r\n05/24/2005 Public disclosure\r\n\r\nIX. CREDIT\r\n\r\niDEFENSE Labs is credited with this discovery.\r\n\r\nGet paid for vulnerability research\r\nhttp://www.idefense.com/poi/teams/vcp.jsp\r\n\r\nFree tools, research and upcoming events\r\nhttp://labs.idefense.com\r\n\r\nX. LEGAL NOTICES\r\n\r\nCopyright (c) 2005 iDEFENSE, Inc.\r\n\r\nPermission is granted for the redistribution of this alert\r\nelectronically. It may not be edited in any way without the express\r\nwritten consent of iDEFENSE. If you wish to reprint the whole or any\r\npart of this alert in any other medium other than electronically, please\r\nemail customerservice@idefense.com for permission.\r\n\r\nDisclaimer: The information in the advisory is believed to be accurate\r\nat the time of publishing based on currently available information. Use\r\nof the information constitutes acceptance for use in an AS IS condition.\r\nThere are no warranties with regard to this information. Neither the\r\nauthor nor the publisher accepts any liability for any direct, indirect,\r\nor consequential loss or damage arising from use of, or reliance on,\r\nthis information.\r\n", "modified": "2005-05-25T00:00:00", "published": "2005-05-25T00:00:00", "id": "SECURITYVULNS:DOC:8705", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:8705", "title": "iDEFENSE Security Advisory 05.24.05: Ipswitch IMail IMAP STATUS Remote Buffer Overflow Vulnerability", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
