ID

VAR-200512-0015

CVE

CVE-2005-2923

TITLE

Ipswitch IMail IMAP LIST Command Remote Denial of Service Vulnerability

DESCRIPTION

The IMAP server in IMail Server 8.20 in Ipswitch Collaboration Suite (ICS) before 2.02 allows remote attackers to cause a denial of service (crash) via a long argument to the LIST command, which causes IMail Server to reference invalid memory. Successful exploitation will cause the affected server to crash, effectively denying service to legitimate users. Ipswitch IMail Server is an American Ipswitch company's mail server running on the Microsoft Windows operating system. Ipswitch IMail IMAP List Command DoS Vulnerability iDEFENSE Security Advisory 12.06.05 www.idefense.com/application/poi/display?id=347&type=vulnerabilities December 6, 2005 I. BACKGROUND Ipswitch Imail Server is an email server that is part of the IpSwitch Collaboration suit. Imail Supports POP3, SMTP, IMAP and web based email access. More Information can be located on the vendor\x92s site at: http://www.ipswitch.com/Products/collaboration/index.html II. The problem specifically exists in handling long arguments to the LIST command. When a LIST command of approximately 8000 bytes is supplied, internal string parsing routines can be manipulated in such a way as to reference non-allocated sections of memory. This parsing error results in an unhandled access violation, forcing the daemon to exit. III. The LIST command is only available post authentication and therefore valid credentials are required to exploit this vulnerability. IV. DETECTION iDEFENSE has confirmed the existence of this vulnerability in Ipswitch IMail 8.2. V. WORKAROUND As this vulnerability is exploited after authentication occurs, ensuring that only trusted users have accounts can mitigate the risk somewhat. As a more effective workaround, consider limiting access to the IMAP server by filtering TCP port 143. If possible, consider disabling IMAP and forcing users to use POP3. VI. VENDOR RESPONSE Ipswitch Collaboration Suite 2.02 has been released to address this issue and is available for download at: http://www.ipswitch.com/support/ics/updates/ics202.asp IMail Server 8.22 Patch has been released to address this issue and is available for download at: http://www.ipswitch.com/support/imail/releases/imail_professional/im822.asp VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2005-2923 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 09/08/2005 Initial vendor notification 09/13/2005 Initial vendor response 10/06/2005 Coordinated public disclosure IX. CREDIT Sebastian Apelt is credited with discovering this vulnerability. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp Free tools, research and upcoming events http://labs.idefense.com X. LEGAL NOTICES Copyright \xa9 2005 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . 1) A format string error exists in the SMTPD32 service when parsing arguments supplied to the "expn", "mail", "mail from", and "rcpt to" commands. This can be exploited to execute arbitrary code via specially crafted arguments sent to the affected commands. The vulnerabilities have been reported in IMail Server version 8.20. Other versions prior to 8.22 may also be affected. SOLUTION: Update to the fixed versions. http://www.ipswitch.com/support/imail/releases/imail_professional/im822.asp Ipswitch Collaboration Suite 2.0: Update to version 2.02. http://www.ipswitch.com/support/ics/updates/ics202.asp PROVIDED AND/OR DISCOVERED BY: 1) Nico 2) Sebastian Apelt ORIGINAL ADVISORY: http://www.idefense.com/application/poi/display?id=346&type=vulnerabilities http://www.idefense.com/application/poi/display?id=347&type=vulnerabilities ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation

EXPLOIT AVAILABILITY

EXTERNAL IDS

REFERENCES

CREDITS

Sebastian Apelt

SOURCES

LAST UPDATE DATE

2024-08-14T13:50:57.023000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE