Re: [VulnWatch] Buffer Overflow Vulnerability Found in MailMax Version 5

From: Mark Litchfield (mark@ngssoftware.com)
Date: Fri Apr 11 2003 - 18:01:29 EDT

• Next message: Rapid 7 Security Advisories: "[VulnWatch] R7-0013: Heap Corruption in Gaim-Encryption Plugin"
• Previous message: Dennis Rand: "[VulnWatch] Buffer Overflow Vulnerability Found in MailMax Version 5"
• In reply to: Dennis Rand: "[VulnWatch] Buffer Overflow Vulnerability Found in MailMax Version 5"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi All,

I had also reported a buffer overrun within MailMax Version 5 through their
web site but in a different area, worth adding here that no response from
the vendor was received. (I will need to check to see if it still is
vulnerable). The overrun discussed below, IS remotely exploitable rather
than simply being a Denial of Service. By appending a longer string length
we can actually overwrite the exception handler on the stack allowing a
system compromise with code execution running as SYSTEM.

Regards

Mark

----- Original Message -----
From: "Dennis Rand" <der@infowarfare.dk>
To: "Vulnwatch@Vulnwatch. Org" <vulnwatch@vulnwatch.org>;
"Bugs@Securitytracker. Com" <bugs@securitytracker.com>; "News@Securiteam.
Com" <news@securiteam.com>; "Vuln@Secunia. Dk" <vuln@secunia.dk>
Sent: Friday, April 11, 2003 4:21 AM
Subject: [VulnWatch] Buffer Overflow Vulnerability Found in MailMax Version
5

                       Buffer Overflow Vulnerability
                         Found in MailMax Version 5
                           http://www.smartmax.com

                          Discovered by Dennis Rand
                             www.Infowarfare.dk
------------------------------------------------------------------------

-----[SUMMARY
This is a scalable e-mail server that supports SMTP, IMAP4 and POP3
protocols.
Its TCP/IP GUI allows server administration from any Internet connected
server.
The Web Admin module allows you to define domain administrators so they can
Maintain their own accounts. It also provides anti-spamming options.

The problem is a Buffer Overflow in the IMAP4 protocol, within the
IMAP4rev1 SmartMax IMAPMax 5, causing the service to stop responding.

-----[AFFECTED SYSTEMS
Vulnerable systems:
 * IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.6 and 5.0.10.7)

Immune systems:
 * IMAP4rev1 SmartMax IMAPMax 5 (5.0.10.8)
 * IMAP4rev1 SmartMax IMAPMax 5.5

-----[SEVERITY
Medium - An attacker is able to cause a DoS attack on the IMAP protocol
         But it has no effect on the rest of the system.

-----[DESCRIPTION OF WHAT THE VULNERABILITY IS
The Vulnerability is a Buffer Overflow in the IMAP4rev1 SmartMax IMAPMax 5
When a malicious attacker sends a large amount into the password field, in
The login procedure.

The following transcript demonstrates a sample exploitation of the
Vulnerabilities:
----------------------------- [Transcript] -----------------------------
nc 127.0.0.1 143
* OK IMAP4rev1 SmartMax IMAPMax 5 Ready
0000 CAPABILITY
* CAPABILITY IMAP4rev1
0000 OK CAPABILITY completed
0001 LOGIN "mail@mail.com" "A..[50] ..A"
0001 NO Invalid user name or password.
0001 NO Invalid user name or password.

----------------------------- [Transcript] -----------------------------

When this attack is used there will pop-up a message box on the server, with
the text
"Buffer overrun detected! - Program: <PATH>\IMAPMax.exe" at this time the
service
shuts down, and has to be restarted manually, from the service manager.

-----[DETECTION
IMAP4rev1 SmartMax IMAPMax 5 is vulnerable to the above-described attacks.
Earlier versions may be susceptible as well. To determine if a specific
implementation is vulnerable, experiment by following the above transcript.

-----[WORK AROUNDS
* With this vulnerable version of IMAP, the only workaround is to disable
the
    IMAP4rev1 SmartMax IMAPMax 5 service, there are no workaround in the
configuration.

* SmartMax has released a patched version of IMAPMax.exe version 5.0.10.8
which corrects
     the problem. It can be downloaded at
ftp://ftp.smartmax.com/updates/MailMax 5.0/Files/
     Remember to ensure that the file version is 5.0.10.8 or higher.

* Update your MailMax Version 5 to the released version 5.5

-----[VENDOR RESPONSE
Thank you for the buffer overrun security notification in our
ImapMax module for MailMax 5. I'm enclosing an updated IMAPMAX
which fixes the buffer overflow vulnerability? We'll be posting
this in our MailMax 5.5 update next week.
Regards,
Eric Weber

-----[DISCLOSURE TIMELINE
25/03/2003 Found the Vulnerability, and made an analysis.
27/03/2003 Reported to Vendor (sales@smartmax.com, features@smartmax.com,
support@smartmax.com).
27/03/2003 Vendor reply, they now know of the vulnerabilities.
27/03/2003 Vendor send a patch (Version 5.0.10.7) of the IMAPMax.exe still
contains the vulnerability.
27/03/2003 Received version 5.0.10.8 from Vendor.
27/03/2003 Tested version 5.0.10.8 from vendor, and this version is not
vulnerable.
27/03/2003 Fix made public.
11/04/2003 Public Disclosure.

-----[ADDITIONAL INFORMATION
The vulnerability was discovered and reported by <der@infowarfare.dk> Dennis
Rand

-----[DISCLAIMER
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect,
incidental, consequential, loss of business profits or special damages.

• Next message: Rapid 7 Security Advisories: "[VulnWatch] R7-0013: Heap Corruption in Gaim-Encryption Plugin"
• Previous message: Dennis Rand: "[VulnWatch] Buffer Overflow Vulnerability Found in MailMax Version 5"
• In reply to: Dennis Rand: "[VulnWatch] Buffer Overflow Vulnerability Found in MailMax Version 5"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 22:21:40 EDT