X-Mail Vulnerabilities
Created 2/21/01
CAN 2001-0192
Impact
A buffer overflow in XMail could allow
a remote user with a valid e-mail account on the system
to execute arbitrary commands.
Background
X-Mail is a full-featured
mail server which runs on Unix and Windows NT. It supports
the SMTP, POP3, and
finger protocols.
X-Mail comes with a tool called the CTRL Server
which can be used for administration of the mail server.
The CTRL Server runs on port 6017 by default.
The Problem
The CTRL Server which comes with X-Mail 0.67 and earlier
versions contain a buffer overflow condition. This
condition could be exploited to execute arbitrary
commands on the server.
A valid user name and password are required in order
to exploit this vulnerability, but in many cases an attacker
would be able to gain this information using a brute-force
attack.
Resolution
Upgrade to version 0.68 or higher
when it becomes available.
Where can I read more about this?
For more information, see the posting to
Bugtraq.