Ipswitch IMail IMAP SUBSCRIBE command buffer overflow

2007-08-02T00:00:00
ID SAINT:240923C1FA8A33348C94267073F8903D
Type saint
Reporter SAINT Corporation
Modified 2007-08-02T00:00:00

Description

Added: 08/02/2007
CVE: CVE-2007-3927
BID: 24962
OSVDB: 36222

Background

IMail is an e-mail server for Windows platforms.

Problem

A buffer overflow vulnerability in the IMAP service could allow an authenticated attacker to execute arbitrary commands by sending a specially crafted SUBSCRIBE command.

Resolution

Upgrade to Ipswitch IMail Server version 2006.21.

References

<http://www.zerodayinitiative.com/advisories/ZDI-07-043.html>

Limitations

Exploit works on Ipswitch IMail 2006.2 and requires a valid IMAP login and password.

Platforms

Windows 2000
Windows Server 2003