From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 13 Mar 2005 19:11:43 +0200
Subject: [NT] Buffer Overflow in Ipswitch Collaboration Suite (IMAP EXAMINE Command)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050313181108.8A89657E5@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Buffer Overflow in Ipswitch Collaboration Suite (IMAP EXAMINE Command)
SUMMARY
<http://www.ipswitch.com/>; Ipswitch Collaboration Suite (ICS) is a
comprehensive communication and collaboration solution for small and
medium sized businesses, schools and service providers.
Exploitation of a remote buffer overflow within the IMAP daemon of
Ipswitch Collaboration Suite allows attackers to execute arbitrary code
with administrator privileges.
DETAILS
Vulnerable Systems:
* Ipswitch IMail Server 8.15 (12.8.27.14)
Immune Systems:
* Ipswitch IMail Server 8.15 Hotfix 1
The vulnerability exists due to insufficient handling of overly long
arguments passed to the EXAMINE handler function. The EXAMINE command is
used to select a mailbox so that messages within the mailbox may be
accessed with read-only privileges. EXAMINE requests with malformed
mailbox names of 259 bytes will overwrite the saved stack frame pointer,
resulting in potential process execution control. It should be noted that
IMAP will append a '/' character to your supplied mailbox name so the most
significant byte of the frame pointer will be 0x2e. The output below shows
successful control of the frame pointer.
Proof of Concept:
(668.f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000006 ebx=008943b0 ecx=42424242
edx=00c8fad4 esi=008943b0 edi=00000013
eip=0078626d esp=00c9fd20 ebp=2e434343
iopl=0 nv up ei pl zr na po nc
cs=001b ss=0023 ds=0023 es=0023
fs=0038 gs=0000 efl=00000246
0078626d ?? ???
Frame pointer overwrites allows attackers to redirect program flow when
the current function returns. It should be noted that the IMAP EXAMINE
command is only available after successful authentication.
Vendor Status:
This vulnerability is addressed in IMail Server 8.15 Hotfix 1 (February 3,
2005), which is available for download at:
<ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM815HF1.exe>;
ftp://ftp.ipswitch.com/Ipswitch/Product_Support/IMail/IM815HF1.exe
Disclosure Timeline:
03/02/2005 - Initial vendor notification
03/08/2005 - Initial vendor response
03/10/2005 - Public disclosure
ADDITIONAL INFORMATION
The information has been provided by
<mailto:idlabs-advisories@idefense.com.> iDEFENSE.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=216&type=vulnerabilities&flashstatus=true>; http://www.idefense.com/application/poi/display?id=216&type=vulnerabilities&flashstatus=true
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
