IMail POP Server Denial of Service
Reported November 8, 1999 by
Shok
VERSIONS EFFECTED
  • IMail v5.05, 5.06, 5.07

DESCRIPTION

Due to improper bounds checking in Ipswitch"s IMAIL POP3 server, a buffer overflow occurs when a lengthy username is sent (via "USER <large username>"). Where the length of <large username> is between 200 and 500 characters. It has been tested this on version 5.07, 5.05, and 5.06. According to Interrupt, it appears to be a DoS (denial of service) attack, but there has been no further testing to determine if it can be exploited to gain higher privileges.

DEMONSTRATION

View a copy of the exploit code.

VENDOR RESPONSE

Ipswitch has patched the vulnerability and the latest version can be downloaded from:

ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/imail508.exe

If you are unable to install the patch, a temporary workaround is to set the IMAIL monitor to 10 seconds, which guarantees a quick refreshment period.

CREDITS


Reported by Shok
Posted here at NTSecurity.NET on November 8, 1999