IMail vulnerabilities

Updated 8/6/02
CVE 2001-0039
CVE 2001-0494
CAN 2001-1281
CAN 2001-1282
CAN 2001-1283
CAN 2001-1284
CAN 2001-1285
CAN 2001-1286
CAN 2001-1287
CVE 2002-0777
CVE 2002-1076

Impact

A remote attacker could execute arbitrary commands with SYSTEM privileges, gain information about the server's directory structure, hijack mail sessions, predict session IDs, or cause IMail to stop responding, thus denying access to e-mail service and the web interface. A user with an account on the server could gain access to other users' mailboxes.

Note: The red stoplight on this page indicates the highest possible severity level for this category of vulnerabilities. The severity level for this instance is indicated by the colored dot beside the link to this tutorial on the previous page.

Background

IMail is an e-mail package which runs on Windows systems. It provides SMTP, IMAP, and POP services, a web interface, a web calendaring service, and other services.

The Problems

GET buffer overflow in web messaging

8/6/02
CVE 2002-1076
A buffer overflow in the processing of GET requests by the IMail web messaging service could allow a remote attacker to crash the service or execute arbitrary commands. IMail prior to 7.12 is affected by this vulnerability.

LDAP Buffer Overflow

5/28/02
CVE 2002-0777
Due to a buffer overflow condition in the LDAP service which comes with IMail, a remote attacker could execute arbitrary commands with SYSTEM privileges by specifying a long, specially crafted argument to the bind DN parameter. IMail version 7.1 and earlier are affected by this vulnerability.

Multiple vulnerabilities in web messaging

10/25/01
CAN 2001-1281
CAN 2001-1282
CAN 2001-1283
CAN 2001-1284
CAN 2001-1285
CAN 2001-1286
Multiple vulnerabilities in IMail's web messaging component could allow a remote attacker to hijack e-mail sessions, gain information about the server's directory structure, predict session ID's, or cause the web interface to become unresponsive. Users with an account on the server could gain access to other users' mailboxes or change other users' account information. IMail 7.04 and possibly earlier versions are affected by these vulnerabilities.

Buffer overflow in Web Calendaring

10/25/01
CAN 2001-1287
A buffer overflow in IMail's Web Calendaring component could allow a remote attacker to execute arbitrary commands with SYSTEM privileges or cause the calendaring service to become unresponsive. IMail 7.04 and possibly earlier versions are affected by this vulnerability.

Mailing list buffer overflow

5/4/01
CVE 2001-0494
Due to a buffer overflow condition in the handling of mailing lists, it is possible to execute arbitrary commands by sending a message with a long, specially-crafted string in the header to a valid mailing list on the server. IMail version 6.06 and earlier are affected by this vulnerability if unpatched.

SMTP AUTH vulnerability

CVE 2001-0039
A remote attacker could crash the IMail server by supplying a password between 80 and 136 characters in length with the SMTP AUTH command. The server will respond to a string greater than 136 characters long with an error message, but that does not cause the server to crash. IMail 6.05 and possibly earlier versions are affected by this vulnerability unless the patch for IMail 6.05 has been applied.

Resolution

Upgrade to IMail 7.12 or any higher version. Also, ensure that the Ignore Source Address in Security Check option is not checked.

Where can I read more about this?

The GET buffer overflow was posted to Bugtraq. The problems in web messaging and calendaring were reported in Defcom Labs Advisory 2001-29, ntsecurity.nu advisory 16, and Bugtraq. The buffer overflow in the handling of mailing lists was reported in eEye advisory AD20010424. The SMTP AUTH vulnerability was posted to Bugtraq. The LDAP buffer overflow was reported in Bugtraq.