IMail IMAP FETCH command buffer overflow

Added: 03/15/2006
CVE: CVE-2005-3526
BID: 17063
OSVDB: 23796

Background

IMail is a mail server for Windows including SMTP, IMAP, and LDAP services.

Problem

A buffer overflow vulnerability in IMail allows remote authenticated attackers to execute arbitrary commands by sending a specially crafted **FETCH** command to the IMAP service.

Resolution

Upgrade to IMail 2006.03 or higher.

References

<http://secunia.com/advisories/19168/&gt;

Limitations

Exploit works on IMail Server 2006(02a). At least one message must exist in the user’s inbox in order for the exploit to succeed.

Platforms

Windows 2000
Windows XP