imail.5.0.txt

`Date: Mon, 1 Mar 1999 23:30:21 -0800  
From: Marc <[email protected]>  
To: [email protected]  
Subject: Multiple IMail Vulnerabilites  
  
________________________________________________________________________  
  
eEye Digital Security Team <e>  
www.eEye.com  
[email protected]  
March 1, 1999  
________________________________________________________________________  
  
Multiple IMail Vulnerabilites  
  
Systems Affected  
IMail 5.0  
  
Release Date  
March 1, 1999  
  
Advisory Code  
AD03011999  
  
________________________________________________________________________  
  
Description:  
________________________________________________________________________  
  
The following holes can be used as a Denial of Service against the  
various services mentioned and in some cases used to remotely execute  
code.  
  
---> Imapd (143)  
  
The imapd login process does not do proper bounds checking on usernames  
and passwords.  
  
* OK IMAP4 Server (IMail 4.06)  
X LOGIN glob1 glob2  
  
Where glob1 is 1200 characters and glob2 is 1300 characters. The imapd  
service will crash with the usuall overflow error.  
  
---> LDAP (389)  
  
Telnet to server.com 389  
Send: Y glob1  
hit enter twice  
Server Returns: 0  
Send: Y glob2  
hit enter  
  
Where glob1 and glob2 are 2375 characters and Y is Y. The ldap service  
goes to 90 percent or so and idles there. Therefore using up most  
system resources.  
  
---> IMonitor (8181)  
  
Telnet to server.com 8181  
Send: glob1  
hit enter twice  
  
Where glob1 is 2045 characters. The IMonitor service crashes with the  
normal overflow message.  
  
---> IMail Web Service (8383)  
  
Telnet to server.com 8383  
Send: GET /glob1/  
  
Where glob1 is 3000 characters. The usual overflow message will be  
displayed. This one looks to be easily exploitable. >:-]  
  
---> Whois32 Daemon (43)  
  
Telnet to server.com 43  
Send glob1  
  
Where glob1 is 1000 characters. The usual overflow message will be  
displayed. Ya... starting to sound old.  
  
________________________________________________________________________  
  
Vendor Status  
________________________________________________________________________  
  
Vendor has been notified, Waiting for response...  
  
________________________________________________________________________  
  
Copyright (c) 1999 eEye Digital Security Team  
________________________________________________________________________  
  
Permission is hereby granted for the redistribution of this alert  
electronically. It is not to be edited in any way without express consent of  
eEye. If you wish to reprint the whole or any part of this alert in any  
other medium excluding electronic medium, please e-mail [email protected] for  
permission.  
  
________________________________________________________________________  
  
Disclaimer:  
________________________________________________________________________  
  
The information within this paper may change without notice. Use of this  
information constitutes acceptance for use in an AS IS condition. There are  
NO warranties with regard to this information. In no event shall the author  
be liable for any damages whatsoever arising out of or in connection with  
the use or spread of this information. Any use of this information is at the  
user's own risk.  
  
Please send suggestions, updates, and comments to:  
eEye Digital Security Team  
[email protected]  
http://www.eEye.com  
  
`