IMail IMAP LOGIN special character vulnerability

2006-01-04T00:00:00
ID SAINT:FBBB1942DDEE3FD36A2D9D66B0EC1E9C
Type saint
Reporter SAINT Corporation
Modified 2006-01-04T00:00:00

Description

Added: 01/04/2006
CVE: CVE-2005-1255
BID: 13727
OSVDB: 16804

Background

IMail is a mail server for Windows platforms. It includes SMTP, POP, IMAP, and LDAP services, a web interface, and web calendaring.

Problem

A remote attacker could execute arbitrary commands by sending a long specially crafted **LOGIN** command starting with a special character. The attacker would not need to have knowledge of a valid account name and password in order to exploit this vulnerability.

Resolution

Install the IMail Server 8.02 Patch.

References

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=243&type=vulnerabilities

Limitations

Exploit works against Ipswitch Collaboration Suite 2.0.

Platforms

Windows 2000
Windows XP